Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

How Does Unique User ID Protect Patient Information In Your Practice?

Posted on August 18, 2022 by Izza Nuguit in Blog

Why You Need Unique User ID In Your Healthcare Practice

When you’re setting up computer systems for your healthcare practice, start by ensuring that every user has a unique user identity (user ID).

Sharing login credentials for everyone on your team can lead to compromised account security, which makes you more vulnerable to phishing attempts, and leads to a greater risk of sensitive information getting into the wrong hands.

Today we’re going to look at why you need to ensure everyone on your team who requires access to IT systems has their own unique user ID and login credentials.

What is User ID?

The user ID or username that you create when you are granted access to a computer network or software application should be unique to the user (not shared). The user ID is persistent—that is, it doesn’t change.

While a user ID needn’t be as complex as a password, you want to avoid an easily guessed or spoofed name. Instead, create a user ID that is reasonably short and uses a mix of letters and numbers and special characters. The system should not allow duplicate user ID’s and may have additional criteria about what the name can include.

Sometimes, the user ID appears linked to the content that you enter. For example, the username might be associated with a clinic note you enter in the electronic medical record, internal messaging, or even a blog post.

You can think of the user ID as your digital signature that uniquely identifies the computer user.

 

Unique user id

You may also have certain programs or additional software, applications, and data, including sensitive information, personally identifying information (PII), and personal health information (PHI) which require an additional unique user ID and password.

Don’t Share Your Unique User ID!

Individuals are responsible for their unique user ID. A user ID is important to provide non-reputability for the user. It ensures that the user cannot deny having taken a particular action.

For example, in an office computer, a user ID would be used to login to the system. Once the user is logged in, they can view their personal folders, shared folders, access to printers, and so on. If the user were to deny accessing and printing a particular file, the user ID would prove that they had indeed accessed and printed the file.

Layers of Protection Is Better

A two-step process that requires the user to enter their unique user ID to access a computer or device, and another unique user ID to access a program like an EMR, is an example of a dual login. This added level of security ensures that an authorized user has access to both the local device and the software.

Multi-factor authentication (MFA) is a better level of security. Again, this starts with entering a unique user ID on the device, a different unique user ID to access specific software, and a token or code that is sent to the user. The user must enter the code into the software prior to access granted. The goal of this authentication intent is to make it more difficult to access devices or applications without the subject’s knowledge, such as by malware on the endpoint.

MFA is a core component of a strong identity and access management (IAM) policy. It all starts with having a unique username, password, and an additional verification factor, which decreases the likelihood of a successful cyber attack.

79% of organizations have experienced an identity-related security breach in the last two years [Identity Defined Security Alliance] and 61% of all breaches resulted from stolen credentials, whether through social engineering or brute force attacks. [Verizon Data Breach Investigations Report]. 

Why You Need Unique User ID In Your Healthcare Practice

Benefits of enforcing unique user ID for every user include:

  • Tracking user activity and manage overall operations on a particular system, network or application.
  • Improved security, decreased likelihood of inappropriate access, reduced errors, reduced malicious actions internal and external to the business.
  • Avoidance of fines and sanctions, under privacy legislation.

My EMR / EDR Has Unique User ID. Isn’t That Good Enough?

Many healthcare practices have not yet implemented a unique user ID policy. Instead, they rely on the electronic medical record (EMR), electronic dental record (EDR) or other practice management software (PMS) system to require unique user ID to access this sensitive data.

This simply isn’t good enough. Locking the back door while the front door is unlocked is not a sufficient deterrent to prevent unauthorized access to your systems and the information that it contains.

I’m certain that there are other sections in your computer files where sensitive information (employee, business, and/or patient information) is maintained. This needs to be protected by identity management and audit tracking, too.

The extra layer of protection of having unique user ID to access your computer system AND another unique user ID to access your EMR / EDR is a reasonable safeguard. Alberta Netcare, NIST, and privacy regulations recommend this minimum standard.

In IBM’s Cost of Data Breach Report 2021, compromised credentials were responsible for 20% of breaches.

Having shared user accounts (instead of unique user ID) increases the likelihood that the user credentials will be compromised and may result in a privacy and security incident.

The IBM report also identified that a zero trust approach helped reduce both the likelihood and the cost of a privacy and security breach. Zero trust means that everyone accessing electronic data must use strong authentication and authorization at all times. In short, don’t assume that because the user is accessing a computer at a specific location, that the user is authorized to access the computer.

Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Make It Easy To Implement Unique User ID Policy

Businesses should use business-grade computer hardware and software for their computer networks and mobile devices. Select operating systems that make it easy to create and manage user accounts. Ensure that user activity audit logging is enabled.

You might be ‘pretty good’ at managing a computer. However, I recommend that healthcare providers, clinic managers, and business owners contact a local computer network technician or managed service provider to help you properly set up user management. Protect your patient’s information and your practice with good computer user management.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies-–not just those related to your work, but things in the world which can affect how you manage your practice and patients.

Changing technology is a huge part of that world, and properly managing computer systems is just one aspect of that.

Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

digital health, healthcare practice management, privacy, security

Privacy Compliance and Technology in Healthcare

Posted on March 7, 2021 by Meghan in Blog

Privacy Compliance and Technology in Healthcare

Event by Rafiki Technologies with Information Managers

 

A Privacy Impact Assessment (PIA) is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently.

Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Join Rafiki Technologies’ Naheed Shivji and Information Managers’ Jean L. Eaton for a guide to successfully keep your patients’ information safe, follow cyber security best practices, and comply with the requirements of the Health Information Act (HIA).

This on-line workshop will provide you with practical tips to plan your Privacy Impact Assessment (PIA) amendment as well as a strategic cybersecurity checklist.

Who Should Attend?

  • Medical, dental, chiropractic, optometric, pharmacy practices in Alberta.
  • Clinic manager, privacy officer or administrative lead responsible for updating your Privacy Impact Assessment.
  • Healthcare provider

Join Naheed Shivji and Jean L. Eaton for a guide to your PIA completion and technology requirements

Thursday, March 18th, 2021

6:00 PM – 7:00 PM MT

Free Registration

 

Click the button below to register for the workshop!

Register for the Complimentary Workshop HERE!
speakers lady man

Meet Naheed Shivji, Founder & President of Rafiki Technologies Inc.

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

Meet Jean L. Eaton, BA Admin (Healthcare), CHIM, CC

Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada.

Jean helps independent healthcare practices with practice administration, privacy awareness, privacy breach management, and legislated regulation compliance in Canada.

Jean's career started as a receptionist and transcriptionist in a busy family medical walk-in practice. She moved into health records and health information management and hospital administration in hospitals, regional health authorities, cancer agencies across Canada and Alberta Health.

Now, Jean specializes her consulting practice to independent healthcare practices who want to start, grow, or improve their practice administration so that healthcare providers can focus on providing quality healthcare services. Jean provides training to businesses including healthcare on practical privacy and security best practices and privacy breach management.

If you are starting your new practice and need your first Privacy Impact Assessment, see our available consultation options here.

You May Also Be Interested In:

 

“What is a Privacy Impact Assessment?”

Read the article and watch the short video now to take a look at what is a PIA, what will a PIA do for you, when you need a PIA, and what is the PIA process.

You can also listen to the Practice Management Nuggets podcast episode here.  

 

“How Long Does it Take to do a New Privacy Impact Assessment?”

Ideally, you should start the Privacy Impact Assessment process 3- 6 months prior to your go-live date. Find out more by reading the article.

cybersecurity, dentist, healthcare, privacy, privacy compliance, privacy consultant, Privacy Impact Assessment, security, technology

Privacy and Security In Telehealth Summit

Posted on October 5, 2020 by Jean Eaton in Blog

Growth in telehealth has exploded in 2020 – and so have the privacy and security risks!

  • 46% of consumers are now using telehealth to replace cancelled healthcare visits1.
  • Providers have rapidly scaled offerings and are seeing 50 to 175 times the number of patients via telehealth than they did before2.
  • 90% of patients prefer telemedicine over in-office visits3.

At the same time, we have seen:

  • 80% of security breaches caused by stolen or brute forced credentials.
  • Individual’s COVID-19 testing status and contact tracking inadvertently released to the public.
  • Unsecure video conferencing exposing personal information to others.

When you properly balance the opportunities of telehealth with safeguards to protect the privacy and security of our patients’ health information, you can:

  • Improve patient access to healthcare and patient satisfaction;
  • Develop viable new business models;
  • Maintain and improve patient relationships;
  • Implement flexible staffing employment models to respond to the demands of the pandemic.

Announcing Virtual Health Privacy Summit

In this Virtual Health Privacy Summit, we’re going with TED-style talks – short, engaging presentations from industry experts on compelling topics that are important to your clinic, practice, or business.

This event is ideal for chiropractors, physiotherapists, doctors, dentists, dental hygienists, dental assistants, dental technicians, receptionists, treatment coordinators, practice managers, privacy officers, or owners of a healthcare practice.

Register Now for the Virtual Health Privacy Summit!

Privacy and Security In Telehealth Summit

Wednesday October 21, 2020

 

 

Keynote – Dr. Kale Matovich
Natural Way Chiropractic

The Phoenix Plan: How Our Chiropractic Practice Uses Telehealth to Support Our COVID Recovery

The COVID-19 pandemic significantly affected the way chiropractors provide care to their patients. Dr. Kale Matovich will share his experiences of implementing telehealth solutions as an unconventional, yet essential, component of both patient care and business recovery at Natural Way Chiropractic.

 

Dr. Angela Mulrooney
Unleashing Influence

Pivoting To Online Possibilities

COVID-19 has shoved us into the future of technology-adoption in healthcare. If you don’t level up and get with the advancements, you will be left behind. Angela will discuss the best innovations and how you can make the most of them in your healthcare practice to ensure online income during shutdowns and into the future of your practice.

 

Anne Genge
Alexio Corporation

Easy and Affordable Ways to Dramatically Increase Your Security Online

“Anne takes difficult concepts and makes then interesting and understandable for everyone” (Maggie S. – attendee: Privacy & Security for Office Managers Course 2019)

Who is this for? This talk is designed for all people working with computers and will give you excellent strategies for your office and home use.

Most people have antivirus on their computers but breaches, data theft, and ransomware keep happening. Learn why, and learn how a few tweaks to how you’re working can make an exponential difference to the security of your patient and personal data.

 

Jean L. Eaton
Information Managers Ltd.

Practical Telehealth Privacy Tips For Your Practice

Your Practical Privacy Coach, Jean L. Eaton, will share practical privacy tips you need to know to implement your telehealth program including:

  • Patient on-boarding;
  • Informed consent to telehealth notice; and
  • How to easily document telehealth encounters in your practice.

 

Lauren Sergy
Up Front Communication

The Keys to Buy-In: How to Get Staff and Patients On Board With New Practices and Processes

Changing how we work can be difficult. No matter what it is you’re changing – shifting your privacy practices, engaging in telehealth, or implementing some other new process – getting buy-in from staff, partners, and patients is crucial to the success of your initiative. In this fascinating session, communication and speaking expert Lauren Sergy will take you on a high-level look at how persuasion works, revealing key strategies to getting the buy-in and commitment you need from your staff.

Register Now for the Virtual Health Privacy Summit!

This is the second summit from Canada's Health Privacy Summit. 

People are talking about the Canadian Health Privacy Summit! 

“Absolutely great and informative summit :)”

“This was the best presentation on this topic that I have heard in the 50 years that I have practiced.”

“Great opportunity for those of us who are in the dental industry to learn about issues related to digital information security”

“A lot of information packed into an afternoon with an opportunity to learn more and connect with the presenters made this a valuable learning experience. Looking forward to the next summit. Thank you!”

References:

(1, 2) McKinney COVID-19 Consumer Survey, April 17, 2020. https://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/telehealth-a-quarter-trillion-dollar-post-covid-19-reality# 

(3) Dr. Mike Greiwe, Practice Management Nuggets, 2020 September 22, https://practicemanagementnuggets.live/why-medical-practices-will-have-to-offer-telemedicine/ 

We are Cybersecurity Awareness Month Champions!

The Health Privacy Summit is a Champion of online safety and data privacy. This #CybersecurityAwareness Month we're hosting the Privacy and Security In Telehealth Summit October 21! #BeCyberSmart @StaySafeOnline @Cyber #vhps2020

#CybersecurityAwarenessMonth, privacy, security, telehealth

CHIMA’s Emerging Privacy Management Practices in Health Care series

Posted on July 30, 2020 by Meghan in Blog

Emerging Privacy Management Practices in Health Care 

I'm tickled pink to be the facilitator for CHIMA's new continuing education series.

The Canadian Health Information Management Association (CHIMA) recently launched a live, 5-part privacy series, Emerging Privacy Management Practices in Health Care, beginning on August 6, 2020.

Telehealth and virtual care implementation has advanced 10 years in the last 3 months in response to the coronavirus (COVID-19) pandemic. This series covers the critical aspects of implementing modern privacy management practices in your health care organization. This series is suitable for individuals with privacy-related roles (e.g., managers, vendors, or employees) across the continuum of health care (e.g., acute, primary, long-term or community care).

Each module will cover a privacy-related topic area including privacy awareness, release of information (ROI), access and disclosure, security/cybersecurity, and breach management. Environment overviews are shared throughout the series along with new opportunities for health information professionals in both traditional and emerging roles. By keeping current with these trends, health information professionals will be better prepared to assume new roles within privacy management.

Attend the live webinars to participate in a Q&A period with series facilitator and industry expert Jean L. Eaton.

Learn more at echima.ca/privacy-series

Speakers:

Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean L. Eaton is a Certified Health Information Management (CHIM) professional, and privacy awareness training facilitator.

She has had the honour of sharing her passion for practical privacy and confidentiality advice with hundreds of medical clinics, health care practices, and organizations across Canada and the United States.

Jean has over 20 years of experience in health information management and health care administration and over 15 years in her independent privacy consulting practice. She makes practical recommendations for thousands of independent health care providers to help them comply with privacy legislation and create efficient practices.

Jean is also a keynote speaker on the topic of privacy breach management and serves as an on-demand ‘virtual privacy officer’.

The live webinars will occur on the first Thursday of each month from August to December.

 

Module Date Time
1. Privacy awareness August 6, 2020 12:00 – 1:30 pm EST
2. Release of information September 3, 2020 12:00 – 1:30 pm EST
3. Access and disclosure in patient portals, information sharing, and health information exchange environment October 1, 2020 12:00 – 1:30 pm EST
4. Security/cybersecurity November 5, 2020 12:00 – 1:30 pm EST
5. Privacy breach management December 3, 2020 12:00 – 1:30 pm EST
Purchase Your Series Pass Here!
access, cybersecurity, health care, Health Information Management, healthcare, medical, privacy, privacy awareness, privacy management, security, telehealth, virtual care

Your Guide to Privacy & Security Measures for the Health Care Industry

Posted on June 11, 2020 by Meghan in Blog

I’m tickled pink to be a guest of Rafiki Technologies' EVOLUTION SERIES

Your Guide to Privacy & Security Measures for the Health Care Industry

Join Rafiki Technologies and Jean Eaton to learn effective ways to keep your patient information safe and secure.

Confidentiality and security of personal health information (PHI) are crucial in the health care industry. It's your job to keep your records safe and your patient's information private, confidential, and secure.

Electronic medical records (EMR) have many advantages but security concerns are attached. Internet hackers are able to access private information in a matter of minutes if the medical practice doesn't have strong security measures in place and well-trained staff.

Learn how to protect your patient data with Rafiki Technologies' President Naheed Shivji. He and his team have worked in the medical industry for many years and they understand how to integrate proper IT and security measures seamlessly into existing infrastructure.

Joining Naheed Shivji is a Certified Health Information Management Professional, Jean L. Eaton. Jean is exceptionally versed in privacy awareness training and tools and works alongside many healthcare providers to ensure they're using the right protocols to keep patient information protected while complying with privacy legislation. 

Speakers:

Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

I assist healthcare providers, clinic managers, practice managers, privacy officers, and independent healthcare practice owners with practical privacy awareness training and tools that are easy to implement, cost-effective, and meaningful to your day-to-day business.

As a Certified Health Information Management professional (CHIM), and privacy awareness training facilitator, I have had the honour to share my obsession about practical privacy and confidentiality advice with hundreds of medical clinics and healthcare practices and organizations across Canada and the US.

With over twenty years of experience in health information management and healthcare administration and over 15 years in my independent consulting practice, I have made practical recommendations for 1000’s of independent health care providers to help them comply with privacy legislation and create efficient practices.

 

Naheed Shivji, Founder & President of Rafiki Technologies Inc

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

 

Your Guide to Privacy & Security Measures for the Health Care Industry

Tuesday, June 16th, 2020

6:00pm MDT

Watch the YouTube Video Here!
cybersecurity, datasecurity, healthcare, informationsecurity, medical, privacy, security

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Posted on September 11, 2017 by Jean Eaton in Archive

Is this you?

Paul clicked on a link in an email that encrypted all his data on his computer and now he has to pay a ransom to get the data back.

Mary used her work email address to register for the course, “Ready to leave your job?” Now her boss thinks that she is looking for a new job.

Alice did not follow your clinic policies and procedures properly and she left a confidential message with the wrong patient.

Bob is a new employee and will start his orientation tomorrow.

They each use the internet for their personal lives and as an employee. You need to know the best practices on the internet and how to protect your personal information. It's easy once you know how!

The 15 Day Privacy Challenge is a fun, FREE online educational opportunity on privacy and security that you can use at home or at work. Enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches when you use these practical tips, tools, and resources.

This free online course is ideal for businesses, healthcare practices, or clubs and their privacy officers, employees, and their families.

The course is free – there is no risk to you and you will see that the 15 Day Privacy Challenge is the perfect way to make small changes easily that can improve the privacy and security of your information right away!

We are official champions of the  National Cyber Security Awareness Month (NCSAM). October is Cyber Security Awareness Month and Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge.

The 15 Day Privacy Challenge starts October 15th, for fifteen days.

The challenge includes tasks centered on a privacy or security best practice. Each challenge includes a short description about why this practice is important, how to get started, and links to additional resources. Each challenge will take approximately 15 minutes to complete.  All activities are  online and accessible from any internet enabled device.

[clickToTweet tweet=”Practical #privacy and security tips for home or office – FREE! #15DayPrivacyChallenge #CyberAware” quote=”15 Day Privacy Challenge – Practical privacy and security tips for the internet enabled home and office – FREE!”]

Businesses and healthcare providers are legally responsible to ensure that every employee, contractor, and vendor receives privacy and security training, including cyber awareness. Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by being up to date on privacy and security best practices.

Training is the cornerstone of every privacy and security program.

People love games, challenges, and cyber competitions to create variety and interest in privacy and security best practices. The 15 Day Privacy Challenge uses a variety of multi-media content that everyone in your practice can understand. Privacy awareness training alone won’t guarantee that mistakes or errors in judgement won’t happen, but Privacy Awareness Training is your logical first step.

 15 Day Privacy Challenge Teach Staff

The 15 Day Privacy Challenge starts October 15th, for fifteen days.

The 15 Day Privacy Challenge includes easy to access on-line resources delivered each day. You will have access to all of the resources for one year on the website.
BONUS – access to discussion group with other participants to share your tips.

What People Are Saying 

Don't just take it from us, here is what previous participants are saying:

“The 15 Day Privacy Challenge has given me some additional information on day-to-day responsibilities that I hadn't considered until now. Each Privacy Challenge has been so informative and I've been sharing it with our office staff.”

Vera. Alberta Health Services
“The 15 Day Privacy Challenge has made me aware of the policies that my facility needs to update/create!”
Rachel Worthing, CHIM, Ontario Shores Centre for Mental Health Sciences
“The 15 Day Privacy Challenge has given me some great resource information and helped me to identify the areas that I need to work on. I found value in almost all of the Privacy Challenges, but I would say Risk Assessment, Social Media, Email Phishing and Spam, and Confidentiality are the top four.”
Sharon

  The 15 Day Privacy Challenges includes:

  • Posters
  • Short articles with practical information
  • Videos
  • Infographics
  • Links to additional free resources
  • Certificate of completion

The 15 Day Privacy Challenge includes practical tips on:

  • Confidentiality
  • Privacy Collection
  • Manage USB Sticks and Mobile Devices
  • Computer Backup
  • Computer Security
  • Spam email, Phishing emails, Spear-phishing
  • Privacy Officer Education
  • The Right to Access Your Own Personal Information
  • Change Your Passwords
  • Employee Orientation
  • Social Media
  • Risk Assessment
  • Privacy Breach Reporting

At the end of the challenge, you will receive a printable certificate of completion. Successful challengers might also find that this qualifies for CPE credits, too!

You will also have many more tools to add to your privacy tool box!

You can do this yourself or make it a team event. The finished tasks and poster will contribute to your business' Privacy Management Program. Proudly display your poster to your co-workers and customers to show the steps you have taken to manage privacy and security.

The course is free – there is no risk to you and you will see that the 15 Day Privacy Challenge is the perfect way to make small changes easily that can improve the privacy and security of your information right away!

Register right away while this is fresh in your mind! You won’t want to miss a single one!


Yes, I'm ready to take the Privacy Challenge!

Includes the webinar on October 19 – Do Your Club Volunteers Protect Your Privacy?

Please provide your email address below and you will be re-directed to the Privacy Challenge registration page. Check your email in-box to confirm your registration!

 

Along with your webinar registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!

 

#15DayPrivacyChallenge, #CyberAware, #NCSAM, 15 Day Privacy Challenge, healthcare, Practical Privacy Coach, Practice Management Mentor, privacy, privacy awareness, privacy officer, security, security awareness, training

Cyberextortion – Is Your Patient’s Health Information Protected?

Posted on May 19, 2017 by Jean Eaton in Blog

Alice had a few minutes before the clinic opened and the first patients arrived. She logged onto the computer and then her personal email through a webmail connection. She checked through her messages and opened an email from a supplier. She followed a link to a website looking for a deal on office supplies and was shocked to find pornographic images!

Alice closed the browser and closed her email.

Then she saw the message on the clinic's computer screen, “This operating system has been locked for security reasons. You have browsed illicit material and must pay a fine.”

Alice could not access any of the files on the computer, not even the clinic's electronic medical record (EMR).

Is data the new hostage?

Cyberextortion is a crime involving an attack or threat of attack followed by a demand for money to avert or stop the attack. Cybercriminals have developed ransomware which encrypts the victim's data.¹

A healthcare business has many types of data on the computer network – patient health information, employee personnel records, fee for service billing, accounting and tax information. That information is important to you – and makes it a valuable target for cybercriminals.

The motive for ransomware attacks is monetary, and unlike other types of security exploits, the victim is usually notified that an attack has occurred and is given instructions for how to recover data. Payment for recovery instructions is often demanded in virtual currency (bitcoin) to protect the criminal's identity. (see WhatIs.com for more information)

 

 

How_They_Get_Your_Data_Phishing

 

Here's what you should be doing now to prevent cyberextortion on your computer network.

  1. Know where all your data is kept – your active patient records, archived patient records, billing records, etc. Remember to reclaim data that you may have left behind with previous vendors – transcriptionist, billing agents, remote data, retired EMR vendors, etc.
  2. Collect only the information that you need; not information that might be nice to know or that you might have a use for in the future.
  3. Install or update endpoint security solutions anti-malware and anti-virus software.
  4. Backup your data with secure encryption. Make sure that you have the encryption key and that you know how to use it. Test restore the backup and test the encryption key, too.
  5. Keep your backup separate from your computer network. You might store your backup on encrypted external drives or remote backup. But don't keep your backup device connected to your computer. If you are attacked by ransomware, the backup device can be locked. too.
  6. Is your current back-up device secure? Your backup should be maintained in an area with appropriate physical safeguards – for example, in a locked, secure, filing drawer, safe or data centre in a location separate from the computer network.
  7. Learn how to recognize phishing attacks so that you can prevent cyber attacks, too.

 

Collect_Only_What_You_Need_Cyberextortion

Risk can be mitigated through use of appropriate safeguards that will lessen the likelihood or consequences of the risk. Layers of safeguards – administrative, technical, physical – will help to prevent privacy and security breaches. When both the likelihood of the risk and the risk of harm is high, the more layers of safeguards should be considered to mitigate the risk.

Risk mitigation assessment is part of a privacy impact assessment (PIA). (What is a PIA?)

Review your current security policies and software with your technical support. If you have a small business and don't have in-house technical support, outsource a security review. Update your risk assessment. [clickToTweet tweet=”Don't become a victim of cyberextortion. #PrivacyAwarwe” quote=”Don't become a victim of cyberextortion.”]

 

Have you seen this?

The Office of the Information and Privacy Commissioner (OIPC) of Alberta has released an ‘Advisory for Ransomware'. You can learn more about preventative measures and ransomware response here.

10 Fundamental Cybersecurity Lessons for Beginners, by Jonathan Crowe, Nov 11 2015 to help you get started on improving your security.

See getcybersafe.ca for more information on common internet threats and on how cyber attacks affect businesses.

References 

Search Security Tech Target. cyberextortion definition

 

cyberextortion, health care, healthcare, phishing, Practical Privacy Coach, privacy, ransomware, Safeguards, security

How to Prevent Phishing Attacks

Posted on January 27, 2017 by Jean Eaton in Blog

“Hello Dear sir/madam, I have received large sum of money to be transferred to your bank account.Please to email me right away with your account information. Many thanks.”

Ever get one of these emails? We're pretty good at recognizing this kind of scam, but cyber criminals are very clever to find new ways to hijack our personal data.

These kinds of attacks are called “social engineering attacks” and they include “phishing”, “spear phishing”, “pharming” and “vishing“. These attacks exploit human tendencies of wanting to be helpful to people in need, trusting those with some form of authority, or even just being curious or greedy.

By claiming to be a system administrator who needs your password to fix your account, or your credit card company needing to verify your credit card number and expiration date, or someone from far away who will give you millions of dollars as soon as you send him some money first….these are all ways to gain unauthorized access to systems or information in order to commit fraud or identity theft.

It only takes one click!

A phishing scam usually involves an e-mail that encourages a user to click on a link, which could then expose the user’s computer to malicious software. The software can then open the doors to unauthorized disclosure of information, loss of information and/or denial of network service.

We have also seen an increase in the number of ransomware attacks where the attacker, once inside the victim’s system, changes the passwords or encrypts the data from the authorized users’ files. The attacker then demands that the owner pay them to return access to the information.

Last year, the Canadian Revenue Agency was forced to delay the tax-filing deadline because its network was exposed to the Heartbleed bug, which essentially allows unauthorized people to access supposedly protected Internet traffic. A computer-science student in London, Ont., is facing several charges for exploiting the vulnerability created by the bug to access sensitive information.  (The Globe and Mail May 14, 2015.)

Don't get caught on the phish-hook! 

There are many creative ‘cyber bad guys' who love to trick you into providing your personal information. You need to educate yourself about the kind of scams out there, and take heed to prevent a cyber attack.

[clickToTweet tweet=”Employees are widely considered to be the weakest link in security infrastructure. Be #PrivacyAware” quote=”Employees are still widely considered to be the weakest link in any security infrastructure, so it’s no surprise that phishing remains so popular and effective. “]

The fact is, good phishing email looks just like regular messages from people we know and care about, and to make matters worse, it can also be difficult to detect.

When it comes to phishing, prevention is the best defense. Investing in employee education and training now can save you a great deal of time and effort further down the line.

How Do You Avoid Being a Victim?

Tip – Be secure, be suspicious, be up-to-date.

Instructions

Digital chores

Click the image to download the pdf

  • Learn more about phishing – The Office of the Privacy Commissioner of Canada has a Top 10 tips to protect your inbox, computer and mobile device.
  • Educate yourself – and your staff and family– about cyber security awareness. Use the ‘The Realist’s Guide to Cybersecurity Awareness’ from Barkly to help you with ideas on how you can create a privacy and security awareness program.
  • Print the poster 5 Ways to Help Employees be Privacy Aware.
  • Use the Family Digital Chores Checklist from ESET-NCSA to remind you to conduct routine digital maintenance at home and at work.
  • Be suspicious of emails from financial institutions or other organizations hat ask you to provide personal information online. Reputable firms never ask for information in this manner.
  • Look closely for clues to fraudulent emails like a lack of personal greetings and spelling or grammatical mistakes.
  • Verify a phone number before calling it – if someone left you a message or sent an email claiming to be from your financial institution, make sure you check that the number is the one printed on the credit card or your bank statement.

 

DPD Champ badge

Celebrate Data Privacy Day with Information Managers!

 

[clickToTweet tweet=”Practical #Privacy tips, tools, and resources! Get it before it's gone. #PrivacyAware” quote=”Concerned about your privacy online? The FREE Data Privacy Day E-course makes it easy for you to enjoy the benefits of the internet while protecting your privacy.”]
It's easy, fun and filled with practical tips, tools, and resources!

Click here: Get it before it's gone.

Follow Data Privacy Day around the world using Twitter and #PrivacyAware.

#PrivacyAware, Data Privacy Day, email phishing, phishing, Practical Privacy Coach, prevent phishing attacks, privacy awareness, security

Smartphone Privacy Tips

Posted on January 26, 2017 by Jean Eaton in Blog

Ah, smartphones. The wonderful technology that lets us call, text, email, and Facebook to our heart's content, all while throwing some digital angry birds. What's not to love?

Quite a lot, actually, if you fail to protect your privacy.

Smartphones can store and transmit a wide range of data that third parties can access – such as your contact list, your pictures, and your browsing history. They are also vulnerable to viruses and malware that can compromise your personal information. Many apps that you have downloaded or pre-installed use geo-location, which allows you to be tracked wherever you go. Using Wi-Fi hotspots are a great way to get around paying for data usage on your phone bill, Wi-Fi hotspots can also leave you vulnerable to intrusion.

Wondering if a smartphone is a good idea for your child?

Taylor Tompkins provides step by step instructions on how you can modify your child’s smart phone security settings to help you limit the phone’s applications that meet parental approval and empower your child to use their smartphone responsibly.

For more security tips for your SmartPhone, including a review of apps, how to secure your work email, access your bank from your mobile device, make safe purchases on your mobile, and reduce security breaches see, “Smartphone Security Guidance” (TigerMobiles.com)

Memory Devices Too

Sometimes we forget that our cell phones are memory devices, too. Plugging in your cell phone to a computer USB port might be convenient way to listen to music while you are at work or to charge up your phone – but it is also a way to upload viruses from the phone to the computer or to download data from the computer to the cell phone![clickToTweet tweet=” Don't let employees plug in their phones to your computers at work. #PrivacyAware” quote=” Don't let employees plug in their phones to your computers at work.”]

Do You Use a Digital Wallet?

Using your phone to pay for your purchases is the ultimate convenience. Not surprisingly, it comes with additional risks, too. VISA recommends users to keep “L-O-K” in mind to add  extra layers of security to protect your digital wallet. See more details here:

How to “LOK” down your digital wallet

So how do you protect your mobile privacy?

Tip – Secure and protect your phone to protect your smartphone privacy.

Instructions

  • Secure your phone with a unique password
  • Protect your phone with security software and update its operating system when prompted
  • Opt-out of the location service feature – many apps do not need geo-location enabled to work
  • Limit the type of business you conduct using Wi-Fi hotspots. If you use Wi-Fi frequently, consider using a VPN connection.  See the infographic from Point-Bl_nk Communications
  • Turn off blue-tooth and Wi-Fi roaming; turn it on only when you need it
  • Help the Good Samaritan return your lost phone; enable your screen lock display with a contact phone number or email to find you.

For more smartphone privacy tips, see Information Managers Data Privacy Day E-course. Get it before it's gone!

Resources

Ackroyd, Brandon. “Smartphone Security Guidance” (TigerMobiles.com) 2015- Dec-14.

Martin, Stacy. “Helpful or Creepy? The Creep-O-Meter Could Help You Find Out” Stay Safe Online Blog 2015-Nov-13.

Tompkin, Taylor. Empowering Your Child to Use Their Smartphone Responsibly, Stay Safe Online Blog, 2013-Jul-16.

See all the Data Privacy Day E-course resources posted each day on our website.

DPD Champ badge

Celebrate Data Privacy Day with Information Managers!

[clickToTweet tweet=”Concerned about your privacy online? Practical tips, tools, and resources! Get it before it's gone. #PrivacyAware. ” quote=”Celebrate Data Privacy Day with Information Managers! Tweet This!”]

Concerned about your privacy online? The FREE Data Privacy Day E-course makes it easy for you to enjoy the benefits of the internet while protecting your privacy.
It's easy, fun and filled with practical tips, tools, and resources! Get it before it's gone.

Follow Data Privacy Day around the world using Twitter and #PrivacyAware.

We are proud to be a Data Privacy Day Champ!

#PrivacyAware, Data Privacy Day, Practical Privacy Coach, Practice Management Mentor, privacy awareness, security, smart phone security, smartphone privacy tips

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Posted on September 18, 2016 by Jean Eaton in Archive

Is this you?

Paul clicked on a link in an email that encrypted all his data on his computer and now he has to pay a ransom to get the data back.

Mary used her work email address to register for the course, “Ready to leave your job?” Now her boss thinks that she is looking for a new job.

Alice did not follow your clinic policies and procedures properly and she left a confidential message with the wrong patient.

Bob is a new employee and will start his orientation tomorrow.

They each use the internet for their personal lives and as an employee. You need to know the best practices on the internet and how to protect your personal information. It's easy once you know how!

The 15 Day Privacy Challenge is a fun, FREE educational opportunity on privacy and security that you can use at home or at work. Enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches when you use these practical tips, tools, and resources.

This free course is ideal for businesses, healthcare practices, or clubs and their privacy officers, employees, and their families.

The course is free – there is no risk to you and you will see that the 15 Day Privacy Challenge is the perfect way to make small changes easily that can improve the privacy and security of your information right away!

October is Cyber Security Awareness Month and Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge.

The 15 Day Privacy Challenge starts October 14th, for fifteen days.

The challenge includes tasks centered on a privacy or security best practice. Each challenge includes a short description about why this practice is important, how to get started, and links to additional resources. Each challenge will take approximately 15 minutes to complete.

Businesses and healthcare providers are legally responsible to ensure that every employee, contractor, and vendor receives privacy and security training, including cyber awareness. Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by being up to date on privacy and security best practices.

Training is the cornerstone of every privacy and security program.

People love games, challenges, and cyber competitions to create variety and interest in privacy and security best practices. The 15 Day Privacy Challenge uses a variety of multi-media content that everyone in your practice can understand. Privacy awareness training alone won’t guarantee that mistakes or errors in judgement won’t happen, but Privacy Awareness Training is your logical first step.

 privacy-challenge-information-managers-event-fb-2016-nolink

The 15 Day Privacy Challenge starts October 14th, for fifteen days.

 The 15 Day Privacy Challenge includes easy to access on-line resources delivered each day. You will have access to all of the resources for one year on the website.
BONUS – access to discussion group with other participants to share your tips.

  The 15 Day Privacy Challenges includes:

  • Posters
  • Short articles with practical information
  • Videos
  • Infographics
  • Links to additional free resources
  • Certificate of completion

The 15 Day Privacy Challenge includes practical tips on:

  • Confidentiality
  • Privacy Collection
  • Manage USB Sticks and Mobile Devices
  • Computer Backup
  • Computer Security
  • Spam email, Phishing emails, Spear-phishing
  • Privacy Officer Education
  • The Right to Access Your Own Personal Information
  • Change Your Passwords
  • Employee Orientation
  • Social Media
  • Risk Assessment
  • Privacy Breach Reporting

At the end of the challenge, you will receive a printable poster, bragging rights, and an opportunity to win a draw for a small prize basket (Canadian participants, only).

You will also have many more tools to add to your privacy tool box!

You can do this yourself or make it a team event. The finished tasks and poster will contribute to your business' Privacy Management Program. Proudly display your poster to your co-workers and customers to show the steps you have taken to manage privacy and security.

Successful challengers might also find that this qualifies for CPE credits, too!

 

Register for the 15 Day Privacy Challenge!

The course is free – there is no risk to you and you will see that the 15 Day Privacy Challenge is the perfect way to make small changes easily that can improve the privacy and security of your information right away!

Register right away while this is fresh in your mind! You won’t want to miss a single one!

 

 

#15DayPrivacyChallenge, #CyberAware, 15 Day Privacy Challenge, healthcare, Practical Privacy Coach, Practice Management Mentor, privacy, privacy awareness, privacy officer, security, security awareness, training
1234

What is the elephant in the room?

The Elephant in the Room Find out here...

 

Privacy Policy

 

I have used Jean Eaton’s Privacy Impact Assessment consulting services on multiple projects at a very reasonable cost. Information Managers also provides a plethora of privacy information, education and training tools for minimal costs. One thing that has helped satisfy the training needs of staff for the PIA is paying for her in service program that is online and staff go through at their own pace while we monitor to ensure completion.

- Luke Brimmage, Executive Director, Aspen Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2023 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}