Email Confidentiality Notice

Posted on October 16, 2017 by Jean Eaton in Blog

October is CyberSecurity Privacy Awareness Month! Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge. The 15 Day Privacy Challenge is a fun, no cost educational opportunity on privacy and security.

Privacy Challenge #1

Take a quick look at your email address book: how many Jennifers and Toms do you see? Even uncommon names can show up more than once, and it’s easy to send an email to the wrong person by mistake.

Mistakes happen. But from a privacy perspective, it’s important that our email recipients know what we want them to do should we make an error of this sort. So it’s vital to include some guidelines in the form of a confidentiality notice.

Consider the following elements of a well-crafted confidentiality notice:

State your email privacy policy.
Encourage the recipient to inform you should an error occur.
Thank them for letting you know about any mistakes.
State that you believe their privacy is important, and that you will take every step necessary to correct the error to prevent it from happening again.

Does your email signature block and fax cover sheet include these points?

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Join us for the Free 15 Day Privacy Challenge for more tips, tools, and templates that you can use right away!

We are proud to be a Champion of National Cyber Security Awareness Month #CyberAware.

#15DayPrivacyChallenge, #CyberAware, e-mail confidentiality statement, Practical Privacy Coach, privacy

Cyberextortion – Is Your Patient’s Health Information Protected?

Posted on May 19, 2017 by Jean Eaton in Blog

Alice had a few minutes before the clinic opened and the first patients arrived. She logged onto the computer and then her personal email through a webmail connection. She checked through her messages and opened an email from a supplier. She followed a link to a website looking for a deal on office supplies and was shocked to find pornographic images!

Alice closed the browser and closed her email.

Then she saw the message on the clinic's computer screen, “This operating system has been locked for security reasons. You have browsed illicit material and must pay a fine.”

Alice could not access any of the files on the computer, not even the clinic's electronic medical record (EMR).

Is data the new hostage?

Cyberextortion is a crime involving an attack or threat of attack followed by a demand for money to avert or stop the attack. Cybercriminals have developed ransomware which encrypts the victim's data.¹

A healthcare business has many types of data on the computer network – patient health information, employee personnel records, fee for service billing, accounting and tax information. That information is important to you – and makes it a valuable target for cybercriminals.

The motive for ransomware attacks is monetary, and unlike other types of security exploits, the victim is usually notified that an attack has occurred and is given instructions for how to recover data. Payment for recovery instructions is often demanded in virtual currency (bitcoin) to protect the criminal's identity. (see WhatIs.com for more information)

Here's what you should be doing now to prevent cyberextortion on your computer network.

Know where all your data is kept – your active patient records, archived patient records, billing records, etc. Remember to reclaim data that you may have left behind with previous vendors – transcriptionist, billing agents, remote data, retired EMR vendors, etc.
Collect only the information that you need; not information that might be nice to know or that you might have a use for in the future.
Install or update endpoint security solutions anti-malware and anti-virus software.
Backup your data with secure encryption. Make sure that you have the encryption key and that you know how to use it. Test restore the backup and test the encryption key, too.
Keep your backup separate from your computer network. You might store your backup on encrypted external drives or remote backup. But don't keep your backup device connected to your computer. If you are attacked by ransomware, the backup device can be locked. too.
Is your current back-up device secure? Your backup should be maintained in an area with appropriate physical safeguards – for example, in a locked, secure, filing drawer, safe or data centre in a location separate from the computer network.
Learn how to recognize phishing attacks so that you can prevent cyber attacks, too.

Risk can be mitigated through use of appropriate safeguards that will lessen the likelihood or consequences of the risk. Layers of safeguards – administrative, technical, physical – will help to prevent privacy and security breaches. When both the likelihood of the risk and the risk of harm is high, the more layers of safeguards should be considered to mitigate the risk.

Risk mitigation assessment is part of a privacy impact assessment (PIA). (What is a PIA?)

Review your current security policies and software with your technical support. If you have a small business and don't have in-house technical support, outsource a security review. Update your risk assessment. [clickToTweet tweet=”Don't become a victim of cyberextortion. #PrivacyAwarwe” quote=”Don't become a victim of cyberextortion.”]

Have you seen this?

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has released an ‘Advisory for Ransomware'. You can learn more about preventative measures and ransomware response here.

10 Fundamental Cybersecurity Lessons for Beginners, by Jonathan Crowe, Nov 11 2015 to help you get started on improving your security.

See getcybersafe.ca for more information on common internet threats and on how cyber attacks affect businesses.

References

Search Security Tech Target. cyberextortion definition

cyberextortion, health care, healthcare, phishing, Practical Privacy Coach, privacy, ransomware, Safeguards, security

Privacy Impact Assessment (PIA)

Posted on May 1, 2017 by Jean Eaton in Clinic Manager / Privacy Officer, Established Practice, New Practice, Services, Vendor

Does your medical practice collect personal health information?

If so, you may need to conduct a Privacy Impact Assessment (PIA).

The Health Information Act requires health providers to complete a Privacy Impact Assessment when you:

open a new clinic
establish a new health services program
change how you collect and use personal information
implement Electronic Medical Records (EMR), or transition to a new EMR provider
share information with a Primary Care Network or other health program
access health information from Netcare or other data repositories

Information Managers' Privacy Impact Assessment (PIA) consultation helps you document your practices, meet practice management best practices, and ensure compliance with regulatory legislation.

The PIA consultation includes reviewing your current practices, documenting current or new privacy and security policies and procedures, information flow, legal authority analysis, risk assessment, and Privacy Impact Analysis. Contact us and we’ll take a look at your current office practices and let you know how we can help make your workload easier, your information secure, and meet regulatory compliance.

The ABCs of Privacy Impact Assessments

What do you know about Privacy Impact Assessments (PIAs)? If you have implemented an electronic medical record (EMR ) funded through a provincial program, you have probably had to go through a PIA. It was probably time consuming to some degree, but perhaps not as bad as you thought. Jean Eaton is a consultant and expert on Privacy Impact assessments in the medical office. She explains in this blog post, The ABCs of Privacy Impact Assessments, what you should expect when required to undertake a PIA.

Listen to the podcast with Dr. Alan Brookstone of Canadian EMR.

Document Management Tip: What is a Privacy Impact Assessment?

YouTube video: What is a Privacy Impact Assessment? Who needs a PIA? How can I tell if I have a PIA? Information about privacy impact assessments in Canada. Additional details for Alberta and Health Information Act, HIA, OIPC.

Having problems viewing the video here? Watch it on our YouTube channel: What is a PIA?

Computer Network Vendors and Privacy Impact Assessment

Video especially for vendors that supports healthcare practices

E-course: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don’t know this and often don’t know that a PIA is usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.

If your Privacy Impact Assessment was written more than 2 years ago this e-course is for you

The Clinic Manager and Physician Lead and Privacy Officer must ensure its content is updated to reflect the current state of administrative, physical and technical controls.

BONUS! Checklist to update your PIA to meet recent changes to Alberta’s Netcare Portal. If your practice has completed a PIA and now you need to update the PIA, you receive a checklist of items that you need to consider to refresh your PIA.

If you a vendor that supports healthcare practices this e-course is for you

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada. But time and geography limit my ability to visit each healthcare practice that needs a PIA. That’s why I developed this on-line interactive course to help you learn everything you need in order to review, amend, or create your own PIA. Each module includes a weekly live webinar, as well as templates, tools, resources and two common case studies to build on each week. You can use these scenarios to guide you through the PIA process.

You know your practice better than anybody else. If you had the right tools, at the time most convenient for you and a mentor to help you, you can develop good office practices, meet legislated and college requirements, and successfully complete your Privacy Impact Assessment requirements.

Consult, electronic medical record, EMR, health, healthcare, medical, Netcare, PIA, PIA completed, PIA templates, Privacy Impact Assessment

Medical Identity Theft – Examples

Posted on January 25, 2017 by Jean Eaton in Blog

Medical Identity theft is one of the fastest growing areas of organized crime.

It can affect individuals:

Financial and credit.
Inaccurate information added to your medical record.
Extortion of your personal health information.
False information can threaten your family or your employment.

It can affect health service providers:

Stolen identities of health service providers is used to set up fake clinics in their names and bill against stolen patient identities.

[clickToTweet tweet=”Prevent #MedicalIdentityTheft. Here's how.” quote=”Preventing medical identity theft starts by clinics asking to see picture ID from their patients.”]

Helps to reduce medication errors in healthcare.
Avoid providing services to fraudulent patients – ask for picture ID when you register a patient.
Improve your technical safeguards – budget for electronic data security investment.
Become aware of the risks and educate your staff.

Information Managers offers Privacy Awareness training on-site, group public workshops, and webinars. Don't miss an event – see Upcoming Events.

For more examples of how medical identity theft may impact your office, listen to the Health Care Technology Online Newsletter podcast

identity theft, medical identity theft, privacy

Identity theft protection (Would you know if there were two of you?)

Posted on January 25, 2017 by Jean Eaton in Blog

Would you know if there were two of you? Identity theft is a growing problem but there are things that you can do to protect yourself.

Identity theft happens when someone steals your personal information and uses it without your consent – to make purchases, take out loans, get medical services – and more! Victims can end up with drained bank accounts, destroyed credit, and the enormous task of fixing the problem.

5 tips to protect yourself from identity theft

Set up a schedule to review your credit card and bank statements – monthly, quarterly – and always have a ballpark in mind of your spending history
Once you've reviewed your statements, make sure that you've shredded the paper documents that you no longer need (and keep them in a secure place while you do need them!) By shredding your bank and credit card statements, you can prevent thieves from “dumpster-diving” for the easy information.
Set up a Google Alert for your name, business name, and other key identifiers (but not your account numbers). You will receive a listing of whenever your name appears in the internet.
Limit the amount of personal information that you share on-line, in stores, and on the forms that you fill out. Ask why they need your information.
Install and update anti-virus and malware protection software on your smartphone. Malware and viruses can access and steal personal information, which can lead to identity theft. ‪

Celebrate Data Privacy Day with Information Managers!

Tweet This!

Concerned about your privacy online? The FREE Data Privacy Day E-course makes it easy for you to enjoy the benefits of the internet while protecting your privacy.
It's easy, fun and filled with practical tips, tools, and resources! Get it before it's gone.

Follow Data Privacy Day around the world using Twitter and #PrivacyAware.

We are proud to be a Data Privacy Day Champ!

#DPD15, best practice, Data Privacy Day, identity theft protection, Practical Privacy Coach

Are cookies a good thing?

Posted on January 24, 2017 by Jean Eaton in Blog

Hungry? Cookies may sound good when they're filled with chocolate chips, but when cookies are used to track your online activity, they can result in behavioral tracking that advertisers use to target products to you.

You may be okay with this when it leads you to your next great shoe sale, but if you use a shared computer and search for something more private, the next person to browse the web on your computer may get bombarded with ads for the wedding rings – something you didn't want them to know.

A silly example, but if you use the internet for activities that require more personal information – such as online banking or shopping – cookies can save and remember your account number, credit card number, mailing address, phone number and more.

Privacy Tip – Delete your cookies!

Especially if you use a shared computer or if you are doing activities that require your personal information.

Celebrate Data Privacy Day with Information Managers!

Tweet This!

Follow Data Privacy Day around the world using Twitter and #PrivacyAware.

We are proud to be a Data Privacy Day Champ!

#PrivacyAware, best practice, cookies, Data Privacy Day, Practical Privacy Coach

Why Does Data Privacy Matter So Much?

Posted on January 23, 2017 by Jean Eaton in Blog

Data privacy is important. But the real question is, why does data privacy matter so much?

“Our personal information is built with our data that enriches, defines, educates and connects us. Data tells our story.” M. Dennedy, VP & CPO at Cisco.

Celebrate Data Privacy Day with Information Managers!

Tweet This!

Follow Data Privacy Day around the world using Twitter and #PrivacyAware.

We are proud to be a Data Privacy Day Champ!

#PrivacyAware, best practice, Data Privacy Day, Practical Privacy Coach, Practice Management Mentor, privacy awareness, training

Do you know the most frequent source of a privacy breach?

Posted on October 29, 2016 by Jean Eaton in Blog

October is Cyber Security Awareness Month! Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge. The 15 Day Privacy Challenge is a fun, no cost educational opportunity on privacy and security.

Challenge #15 Privacy Breach

80% of all privacy breaches are caused inside the business

Have you ever received a phone call from your bank telling you that your credit card information may have been compromised or stolen?

Be glad you did. While this kind of call may frighten you and create doubt and cause inconvenience, it is far better to be notified and to solve the problem than to let it persist. And if the bank catches the theft early and calls you to let you know how they have prevented it from happening again, you are likely to thank the bank for looking out for your best interests.

The same thing happens when you suspect that you have a privacy breach at work. You need to stop it, report it, inform the client, and let them know what you are doing to solve the problem. It is never an easy phone call to make, but most of the time the client appreciates your concern.

Watch the video, “Can You Spot the Privacy Breach?” for some handy information about what is a privacy breach, how to spot one, and what the most common mistakes are that you need to avoid.

Ideal for privacy officers, clinic managers, practice managers, healthcare providers, owners.

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Join us for the Free 15 Day Privacy Challenge for more tips, tools, and templates that you can use right away!

We are proud to be a Champion of National Cyber Security Awareness Month #CyberAware. #15DayPrivacyChallenge.

#15DayPrivacyChallenge, #CyberAware, Practical Privacy Coach

Internet of Things

Posted on October 28, 2016 by Jean Eaton in Blog

October is Cyber Security Awareness Month! Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge. The 15 Day Privacy Challenge is a fun, no cost educational opportunity on privacy and security.

Have you ever wondered on your way home from work, “I wonder if we need more milk?”

It might be very handy to have your refrigerator scan the CPU codes of the food in your fridge, and automatically place an order to your local grocery store ready for you to pick up milk on your way home. Your car will already have the address and traffic updates sent to the GPS to make your trip hassle-free.

“Internet of things” refers to things connecting to the internet and communicate with other each other.

But don't let the convenience of things connecting to the internet create an additional security threat. You need to keep password management and software security up to date.

See the infographic created by NCSAM to explain the Internet of Things.

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Join us for the Free 15 Day Privacy Challenge for more tips, tools, and templates that you can use right away!

We are proud to be a Champion of National Cyber Security Awareness Month #CyberAware. #15DayPrivacyChallenge.

#15DayPrivacyChallenge, #CyberAware, Internet of Things

Can You Access Your Personal Information?

Posted on October 23, 2016 by Jean Eaton in Blog

October is Cyber Security Awareness Month! Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge. The 15 Day Privacy Challenge is a fun, no cost educational opportunity on privacy and security.

Privacy Challenge #9 Right to Access Your Own Personal Information

Our right to the privacy of our personal information is very important.

In our organizations, when we collect personal information from our employees and clients, they have the right to access this information from us. They may want to do this to ensure the information is correct, complete, and has been used only for the purpose to which they agreed.

A privacy charter is a useful document that communicates your position on the collection, disclosure, and use of private information. It informs your clients of their rights and explains your commitment to keeping their information safe.

Here is a sample privacy charter that you can modify for your use:

To help you, we need to ask you for your personal information.
We will ask you before we share your information.
It is our job to keep your personal information safe.
We will tell you why we need to collect your personal information, before the information is collected.
Only with your agreement will we collect, use, and share personal information about you. You may change your mind at any time.
We will only ask you for the personal information that is needed to help you.
We will use your personal information only for purposes to which you agreed.
If you have any questions, speak to our Privacy Officer.
- Used with permission from NWC FASD Network

Can a patient have a copy of their own health record?

Patient Access to Health Records

Under most privacy legislation, including Alberta’s Health Information Act, a patient has the right to access their own records about themselves. The information that a patient provides to the healthcare provider belongs to the patient. The healthcare provider is responsible to maintain the information on paper or in a computer and ‘owns’ the documents.

Watch the Video Patient Access to Health Records

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Join us for the Free 15 Day Privacy Challenge for more tips, tools, and templates that you can use right away!

We are proud to be a Champion of National Cyber Security Awareness Month #CyberAware #15DayPrivacyChallenge

#15DayPrivacyChallenge, #CyberAware, access, patient access to health records, Practical Privacy Coach

‹1 2 3 4 ›»