Healthcare Technology Vendor News

CTI Technology Confirmed as HIPAA Compliant

Posted by HIPAA Journal

CTI Technology, an Elgin, IL-based managed IT service provider, has demonstrated compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules using Compliancy Group’s proprietary HIPAA methodology and compliance tracking solution, The Guard.

Any company that provides a product or service to healthcare organizations that requires access to systems containing protected health information (PHI) is classed as a HIPAA business associate. Following the introduction of the HIPAA Omnibus Final Rule, all business associates of HIPAA-covered entities must comply with HIPAA Rules or face stiff financial penalties for noncompliance.

CTI Technology believes compliance with HIPAA Rules is essential for protecting patient privacy, improving data security, and reducing fraudulent activity. The company educates its clients on the measures required to ensure compliance with the HIPAA Security Rule and how, through compliance, cyberattacks can be thwarted and regulatory fines avoided.

CTI Technology has recently completed Compliancy Group’s 6-stage risk analysis and remediation program and has demonstrated compliance with the regulatory standards of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, HIPAA Omnibus Rule, and HITECH Act.

After completing the program and demonstrating HIPAA compliance, the company was awarded Compliancy Group’s “HIPAA Seal of Compliance”. CTI Technology is one of the only tech companies in the North-western region of Chicago to ensure that all employees have received the required training and are fully aware of their responsibilities under HIPAA and the importance of the privacy and security standards and implementation specifications of HIPAA.

The HIPAA Seal of Compliance helps CTI Technology differentiate its services from its competitors and demonstrate to prospective healthcare clients that the company is fully complaint with HIPAA regulations.

The post CTI Technology Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

IT Service Provider Choose Networks Achieves HIPAA Compliance with Compliancy Group

Posted by HIPAA Journal

The Wichita, KS-based IT service provider, Choose Networks, has achieved HIPAA compliance with Compliancy Group.

Choose Networks was established in 2001 to provide small to medium sized businesses with enterprise-grade IT support. The company now employs over 35 people and provides IT support services to a wide range of companies, including many in the healthcare industry.

As an IT service provider, Choose Networks requires access to systems containing protected health information. As such, the company is considered a HIPAA business associate and is required to comply with HIPAA Rules.

In order to ensure that all requirements of HIPAA have been met and to demonstrate the company follows the same policies, procedures, and administrative practices as its healthcare clients, Choose Networks partnered with Compliancy Group and completed its 6-Stage HIPAA risk analysis and remediation process.

“Choose Networks delivers an excellent customer experience, and this doesn’t stop with technical guidance and support. It is paramount to do everything it takes to protect our customers,” said Lindsay Smith, Vigilance Coordinator at Choose Networks. “For this reason, we requested assistance from Compliancy Group to audit our business to ensure we understand and are upholding HIPAA compliancy regulations.”

Using Compliancy Group’s proprietary HIPAA methodology and its compliance software, The Guard, Choose Networks demonstrated compliance with all aspects of HIPAA Rules and has been awarded Compliancy Group’s HIPAA Seal of Compliance.

The Seal of Compliance confirms Choose Networks has met its requirements and has implemented an ongoing program to ensure continued compliance with the HIPAA Privacy, Security, Breach Notification Rules and the HITECH Act.

The company is using Compliancy Group’s Seal of Compliance to differentiate its services from the competition and demonstrate to prospective clients that the company is fully committed to HIPAA compliance.

The post IT Service Provider Choose Networks Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant

Posted by HIPAA Journal

The Cleveland, OH-based technology solution provider, Direct Connect Computer Systems, Inc., has demonstrated the company is fully compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Companies that provide technology solutions and services to healthcare clients that require contact with electronic protected health information (ePHI) are classed as ‘business associates’ under HIPAA.

Business associates of HIPAA covered entities must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules, and must ensure the confidentiality, integrity, and availability of ePHI at all times. Business associates face substantial fines if they are discovered not to be compliant with HIPAA Rules.

In order to start providing products and services to healthcare organizations, companies must be able to provide reasonable assurances that they are fully compliant with HIPAA Rules. To help provide those assurances and demonstrate the company’s commitment to privacy and security, Direct Connect Computer Systems, Inc., partnered with Compliancy Group and completed its Six Stage Risk Analysis and remediation process.

Using Compliancy Group’s proprietary software, The Guard, and assisted by Compliancy Group Compliance Coaches, Direct Connect Computer Systems successfully completed the program and was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance recognizes Direct Connect’s good faith efforts to comply with all HIPAA and HITECH Act requirements and confirms the company has met its regulatory obligations as a HIPAA business associate.

The post Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

Posted by HIPAA Journal

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

Atlantic.Net Celebrates 25 Years as Internet and Cloud Services Provider

Posted by HIPAA Journal

Atlantic.Net, a cloud service provider that specializes in HIPAA-compliant hosting for the healthcare industry, is celebrating its 25th anniversary this year.

The company was formed in 1994 as an Internet service provider, but over the years has adapted with the latest technology trends and in 2009 transitioned into cloud services. Over the next 10 years the company further developed its hosting platform and associated services and is now a major cloud services provider with more than 15,000 business clients in over 100 countries.

“What started as an ISP in a university dorm has evolved into a leading Cloud Services Provider that our clients have come to rely on for powering their businesses, securing their data, and ensuring compliance and business continuity,” said Atlantic.Net Founder, President, and CEO, Marty Puranik. “By offering optimized Cloud and traditional hosting that protects and scales with our customer’s businesses, we have grown into an international brand with a computing presence in multiple countries. We thank our loyal staff and clients, without whom our success would not be possible.”

The rapid growth of the company’s customer base has been helped in no small part by the expansion of its services into the healthcare sphere. Atlantic.Net now offers a range of HIPAA-compliant services to the healthcare sector, including HIPAA-compliant cloud hosting, database hosting, WordPress hosting, cloud storage, disaster recovery, and a range of managed security services to help healthcare organizations improve their cybersecurity posture and comply with HIPAA Rules.

There is certainly a lot to celebrate at Atlantic.Net this year. The company has received awards from Inc 500, MedTech Breakthrough, Florida 100 and many others for its sustained growth, customer service, products, and services.

CEO Marty Puranik has also been recognized for outstanding leadership and has collected an Ernst & Young’s Entrepreneur of the Year award, a Business Journal’s Forty Under 40 award, and as been inducted into The University of Florida Hall of Fame.

The post Atlantic.Net Celebrates 25 Years as Internet and Cloud Services Provider appeared first on HIPAA Journal.

Critical VxWorks Vulnerabilities Impact 2 Billion Devices

Posted by HIPAA Journal

Security researchers at Armin have identified 11 vulnerabilities in the VxWorks real-time operating system that is used in around 2 billion IoT devices, medical devices, and control systems.

Six of the vulnerabilities have been rated critical and can be exploited remotely with no user interaction required. A successful exploit would allow a hacker to take full control of an affected device. The vulnerabilities are collectively known as “Urgent/11”

VxWorks was first created more than 30 years ago and was developed to serve as an ultra-reliable operating system capable of processing data quickly. Today, VxWorks is the most popular real-time operating system in use and can be found in patient monitors, MRI machines, elevator control systems, industrial controllers, data acquisition systems, modems, routers, firewalls, VOIP phones, and printers.

Armin researchers alerted Wind River about the flaws and patches have now been issued to address the vulnerabilities. Wind River said all currently supported versions of VxWorks are affected by at least one of the vulnerabilities. The vulnerabilities are all in the transmission control protocol/Internet protocol (TCP/IP) stack of VxWorks, also known as IPnet.

The vulnerabilities are:

  • CVE-2019-12256 – Stack-based buffer overflow – CVSS v3: 9.8
  • CVE-2019-12257 – Heap-based buffer overflow – CVSS v3: 8.8
  • CVE-2019-12255 – Integer Underflow – CVSS v3: 9.8
  • CVE-2019-12260 – Improper restriction of operations in memory buffer – CVSS v3: 9.8
  • CVE-2019-12261 – Improper restriction of operations in memory buffer – CVSS v3: 8.8
  • CVE-2019-12263 – Concurrent execution using shared resource with improper synchronization – CVSS v3: 8.1
  • CVE-2019-12258 – Argument injection or modification – CVSS v3: 7.5
  • CVE-2019-12259 – Null pointer dereference – CVSS v3: 6.3
  • CVE-2019-12262 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12264 – Argument injection or modification – CVSS v3: 7.1
  • CVE-2019-12265 – Argument injection or modification – CVSS v3: 5.4

Some of the vulnerabilities affect VxWorks versions which are at or approaching end of life (Versions back to 6.5) and also the now discontinued product, Advanced Networking Technology (ANT). Wind River also reports that one of the vulnerabilities – CVE-2019-12256 – also affects the WvWorks bootrom network stack, as it leverages the same IPnet source as VxWorks.

The following VxWorks products are not affected:

  • VxWorks 5.3 to VxWorks 6.4 inclusive
  • VxWorks Cert versions
  • VxWorks 653 Versions 2.x and earlier.
  • VxWorks 653 MCE 3.x Cert Edition and later.

Patches for the affected VxWorks versions can be obtained by emailing Wind River- SIRT@windriver.com – and stating the which version needs to be patched. Xerox and Rockwell Automation have released their own security advisories about the vulnerabilities.

Affected individuals have been advised to apply the patches as soon as possible. Wind River said there have been no reported instances of the vulnerabilities being exploited in the wild.

The post Critical VxWorks Vulnerabilities Impact 2 Billion Devices appeared first on HIPAA Journal.

Qmetis Inc. Demonstrates HIPAA Compliant Status by Completing Compliancy Group HIPAA Risk Analysis Program

Posted by HIPAA Journal

The NY-based healthcare technology company Qmetis has successfully completed Compliancy Group’s 6-State HIPAA Risk Analysis and remediation process and has been confirmed as being in compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules for HIPAA business associates.

Qmetis develops web-based interactive quality assessment and quality assurance decision-support tools for healthcare professionals. The tools help hospitals and medical centers, and physician’s offices consistently deliver evidence-based care to patients. The tools are used in real-time at a patient’s bedside and support treatment decisions. Healthcare organizations that have adopted the tools have been able to improve outcomes and reduce costs.

The tools developed by Qmetis interact with patient health information, so the company is considered a business associate under HIPAA and is required to comply with HIPAA Rules.

The company had already developed a HIPAA compliance program, but as part of its continuing commitment to compliance, the company partnered with the Compliancy Group and used The Guard software to complete it’s 6-stage Risk Analysis and remediation process.

Assisted by Compliancy Group’s HIPAA compliance coaches, Qmetis was guided through the compliance process by Compliancy Group’s proprietary software – The Guard. The software and the implementation plan have been vetted against the letter of the law and have been confirmed as meeting federal NIST requirements.

Completion of the implementation plan has confirmed that Qmetis is in compliance with HITECH Act requirements and all business associate provisions of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules.

Successful completion of the implementation plan and the good faith efforts of Qmetis to comply with federal regulations has seen the company issued with Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates to healthcare organizations that a company is committed to meeting and exceeding federal standards for privacy and security and confirms the company takes its compliance obligations seriously and is committed to protecting the privacy of its clients’ data.

The post Qmetis Inc. Demonstrates HIPAA Compliant Status by Completing Compliancy Group HIPAA Risk Analysis Program appeared first on HIPAA Journal.

Computer Doc Achieves HIPAA Compliance with Compliancy Group

Posted by HIPAA Journal

Compliancy Group has announced that the Indian Trail, NC-based IT firm Computer Doc has completed the initial phase of its HIPAA compliance journey and has demonstrated compliance with the HIPAA Privacy, Security, Breach Notification, Omnibus Rules and the requirements of the HITECH Act.

Since 1997, Computer Doc has been providing IT support and consultancy services to businesses in and around Charlotte, NC. The firm focuses on providing IT support to small to medium sized businesses to help them increase productivity, improve efficiency, and boost profitability through the intelligent use of IT.

In order to reassure healthcare companies that the firm is aware of the requirements of HIPAA and is committed to providing a HIPAA-compliant IT support service, Computer Doc signed up with the Compliancy Group and was guided through the compliance process.

“With HIPAA violation fine enforcement up 400% in recent years and series of high-profile breaches and multi-million dollar settlements that drew national attention, the importance of HIPAA compliance for both IT service providers (BAs) and their healthcare IT clients (CEs) has never been more urgent,” explained Compliancy Group.

Using the Compliancy Group’s proprietary compliance tracking software, The Guard, and assisted by Compliancy Group coaches, Computer Doc completed the 6-stage implementation program and demonstrated compliance with all relevant provisions of HIPAA Rules.

“Achieving compliance with HIPAA has improved our business and opened the doors to many medical practices that we could not help before,” explained Computer Doc.

After demonstrating compliance with HIPAA, Computer Doc is entitled to display Compliancy’ Group’s HIPAA Seal of Compliance. The Seal of Compliance demonstrates to all HIPAA-covered entities that the firm is fully compliant with HIPAA regulations and patient’s ePHI is secure.

The post Computer Doc Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

Selarom Demonstrates Compliance with HIPAA Regulations

Posted by HIPAA Journal

El Monte, CA-based Selarom is a specialist cybersecurity firm that provides services to healthcare organizations to help them secure their sensitive data and comply with HIPAA Rules.

The company now offers a ‘HIPAA Compliance Complete Solution’ and provides a comprehensive security package for both the managerial and technical sides of organizations. Ensuring sensitive information stays private and confidential is the company’s No1 priority.

HIPAA compliance is more important today than ever before. The number of cyberattacks on healthcare organizations has reached unprecedented levels. 500+ record healthcare data breaches now being reported at a rate of more than one a day. If a breach occurs, the HHS’ Office for Civil Rights will investigate and ask for evidence of HIPAA compliance.

Many small healthcare providers struggle to comply with all provisions of the HIPAA Privacy and Security Rules. In the event of a breach or audit, those providers will be at risk of regulatory fines.

Selarom helps companies secure their data and prevent data breaches. The company ensures that in the event of a breach, it will be possible to demonstrate all reasonable and appropriate controls had been implemented in full compliance with HIPAA Rules, thus avoiding regulatory fines.

To help provide a more comprehensive service to its clients, Selarom partnered with the Compliancy Group. Through the use of The Guard, Compliancy Group’s proprietary compliance software, Selarom has demonstrated full compliance with all aspects of HIPAA and HITECH Act regulations and has been awarded Compliancy Group’s HIPAA Seal of Compliance.

Selarom is now providing an all-in-one security and compliance solution incorporating a breach prevention platform, incident response and analysis, security risk assessments, employee training, and audit support.

The post Selarom Demonstrates Compliance with HIPAA Regulations appeared first on HIPAA Journal.