2015 and 2016 has been a golden age for Ransom ware creators. There have been many high-profile Ransom ware infections on medical facilities around the world. The USA has been subject to several very high profile attacks and more is expected. As our organizations get wiser, it is likely that the Ransom ware senders are going to get wise too and change their approach. If you want to protect your facilities against this extremely virulent type of malware, then outsourcing is your best option.

 

About Ransom ware

You have probably heard of ransom ware by now. It is a particularly vicious form of malware and prevalent today. It comes with a threat to wipe your server of records, or make it publicly available, if you do not pay a ransom (usually in Bitcoin). It can stop your organization going about its business for days as you track back the infection and restore your systems. It is one of the biggest threats to digital healthcare records today.

 

Reason 1: Removes Avenues For Infection

The more avenues there are for infection, the greater opportunity that your server will be infected. That’s a simple fact of life for any commercial enterprise and its risks of any infection. When outsourcing your records retrieval and storage with a third party, only a limited number of people at your end will be able to access our records under strict permissions. The major access way for malware is through human error. Cut off the potential courses of infection and you reduce the risk.

 

Reason 2: More Avenues of Protection

We have some of the most advanced protection software available. We have to because HIPPA and other privacy laws demand that we do all we can to protect client records. We use the most up to date software and hardware and use the best fail safe systems in protecting that data. Commercial enterprises such as hospitals, legal bodies and insurance companies will often use systems that are “good enough”. Protection may be adequate for most daily practices, but inadequate for data protection.

 

Reason 3: Specialist Training

Our employees are dedicated to one job – record retrieval and storage. They are not healthcare professionals, lawyers or insurance executives. This singular focus allows them to have much greater depth of knowledge about HIPA and data protection than anybody else in these professions. Human error is a major cause of hacks and data infection, and our employee’s training is so tight that they can identify all threats.

Increasingly, we are moving to a digital work in our business transactions. Everything from invoicing, sales, customer research, administration and security is moving to the web. If you still use paper based records for your legal medical files, then now might be the right time to switch to digital. Also, during this transition phase, there is no better time than now to outsource. Here, we present four reasons why.

 

It’s Swift and Painless

Sure, replacing all of your paper files with digital version may take a while. You need to ensure that you’re uploading the right files in the right place. You also need to make sure you are transferring the right files and discarding those that you are able to destroy. Yet these processes never take as long as you might fear. When you switch to digital filing systems of record storage, Record Grabber makes it easy and painless, and easier to comply with HIPPA and other legal regulations.

 

It Saves You Time

The paper method of record storage is one of the slowest and most time-consuming methods. Ideally, you require an archivist. Requests can take a lot of time to process, especially if the archiving team has multiple requests for access throughout a working day. You need a record now at 9am; you can’t wait until 2pm. Digital records are faster to find and faster to use. When outsourcing, only authorized personnel can access the records, but they can do so much faster.

 

It Saves You Money

This is related to the above point. Did you know that companies like yours who opt to stick with paper record keeping spend $8bn every year wasting time searching for misplaced and missing paper records? That’s a vast amount of money. Misplacing records cannot happen with digital record keeping. Also, you will be able to turn over storage areas in your premises to something more profitable and save cash on wages by not increasing your archiving team.

 

It’s More Secure

Despite fear in the media about viruses, malware and even ransom ware (a subject we have written about repeatedly) with the proper procedures your data will be safe. Many infections are the result of human error. Paper records can be stolen more easily following a break in. A determined data thief can and will take the time to piece together paper strips – it has happened. When you go digital and outsource to Record Grabber, you have the benefit of our servers providing that extra security.

We have seen some profound changes to how we administer and record various healthcare transactions – legal compliance, treatment, medication and insurance. For most in the industry, there has been little change beyond legal compliance and others still prefer to maintain paper records to avoid what they feel are complications of HIPAA. Why should you switch to electronic medical record keeping and outsource to Record Grabber?

Lower Cost

Long-term administrative costs of electronic record keeping are much lower. Certainly, you need an IT infrastructure and security protocols, but once implemented, they are very cost effective. An increased volume of paper records is expensive in terms of actual cost, human resources for managing and monitoring and disposal. There is no such cost with electronic medical records.

 

Space

How long you can or should keep records varies from state to state, so storage space is an ongoing issue. Some of the largest healthcare organizations have large warehouses full of documents going back many years, unable to destroy them until the allotted time. Electronic records take up far less physical space than a warehouse as even the largest servers have a smaller footprint.

 

Security Issues

While electronic records are subject to hacks and other electronic security problems, they will not suffer other forms of security breach that affect paper records. With Cloud Storage, natural disasters will not destroy original electronic medical records as they will be backed up in cyberspace. Electronic medical records are generally secure and cannot be lost, dropped or misplaced in the same way that original paper records may.

 

Accessibility

Digital records may be shared by many people at once and when shareable in a suitable format, multiple people may also amend a digital file at once. This is not true of original paper copies. Do you remember going to the school library and finding that they had only three copies of a core textbook and all were booked out? Electronic filing does not suffer from such access limitation.

 

Handwriting Problems

Physicians are notorious for having illegible handwriting and using jargon and abbreviations that may make little sense to the nonprofessional or the administrator. When data is entered as printed text, there are fewer chances for others to make an error in reading instructions. When data is entered wrong on an electronic system, the software will normally flag up the problem and ask the user to make corrections.

 

The debate over whether it is best for a medical, legal or recording keeping organization to hold paper or digital records has a third option. HHR (Hybrid Health Records) presents flexibility for you, your clients and your stakeholders but there are drawbacks to mixing up your record storage types.

What is Hybrid Record Keeping?

Hybrid record keeping is where an organization like Record Grabber opts not for just paper records, nor for just digital, but a combination of the two. This can mean either that some types of record are paper and others are digital, or it means multiple copies of the same record depending on how you structure your files.

Hybrid is a workable standard, but there are potential problems when the system is not handled properly.

 

Advantages to Hybrid Record Keeping

The main advantage to using hybrid sets of record is that you will have multiple outlets for acquiring and storing your records. If one system fails (such as a cloud server breakdown) you will have back-ups (hard disk, paper format etc) with which you can carry on working.

The second advantage is that you can stagger and vary your access. Rather than changing permissions on a digital file where some can edit and others may simply view, the paper backups are ideal for those with fewer permissions. HHRs add flexibility for your organization and flexibility is required no matter how big or small.

Hybrid systems work better for patients. A request for information release is problematic when based solely on paper. When there is an electronic form, it is easier to print while retaining the original document. However, there may be issues if specific information is kept separate as hard copies.

 

Disadvantages to Hybrid Record Keeping

The main disadvantage is that multiple outlets means multiple avenues for data breach. As a professional record keeping organization we would strongly recommend using our service as a primary access point.

The second disadvantage is that it requires more working hours to maintain and access the files. When there are multiple copies of anything, it requires more in the way of resources to maintain. This could put a burden on your employees and your wage bill.

The third disadvantage is in the legal regulation of such files. Organizations need to be aware of their legal obligations in their state or broader Federal requirements. There may be extra criterion against which HIPAA will be judged.

The problem with inactive records is that they take up so much space. You cannot dispose of them until the legally allotted time. Did you know that the overwhelming majority of historic records are never accessed? Those that are generally required just one access. Only a small handful requires multiple use. That is a lot of storage space (network or warehouse). What else could you do with them?

Use a Third Party Manager

The most obvious is that you outsource your record storage and access to Record Grabber. We are a professional service with many years of experience in this industry. We know how long to keep these records and how to manage and store them effectively, taking the hard work of records management away from legal and medical professionals. Our complex method of storage is designed for easy and quick access.

 

Keep Inactive Records Offsite

While you are organizing outsourcing your historic records, you may wish to separate out those that are nearing the end of their life. Anything with a year or less could go in off-site storage. These can include records that have never been accessed and are therefore unlikely to become live again any time soon. Keeping records off-site can be expensive, but it is one way of freeing up physical space in your offices.

 

Organize by Active and Inactive

It may be the simplest thing to store records by date of intervention or by alphabetical order, but this could mean sifting through very old records. It may be advisable to use these divisions, but separate them out into a “traffic light” system of red, amber and green. Green can be the most active, amber as semi-active and red as inactive files nearing the end of their lives. Any color code would be useful, so long as the system is clearly defined.

 

Handling Digital Older Records

If your record keeping system is largely digital, the theories may be the same but the execution different. Depending on how you store your records digitally, you may wish to design a separate program or store them on portable media (such as removable hard disks, flash drives or DVD ROMs). This way, it stops your current database from taking up too much space while making access for live files easier.

 

Storage of inactive files can be problematic for healthcare professionals, legal experts and medical centers, but it is important to remember legal obligations regarding storage of historic records.

Data security can be subject to many pitfalls – misplaced files, leaving documents open on computer screens, poor password choice and so on. Malicious software is another such threat; the last few years has seen the rise of a new one – something called Ransomware. Though it has been around since 2013, the last few months have seen a growth risk to the global medical industry.

What is Ransomware?

Ransomware is a type of malicious software (or malware) that infects systems and restricts the access rights to data until a ransom has been paid. Some types simply encrypt the server data which the user must then buy a decryption key (typical demands are for bitcoins rather than hard currency) while others simply lock the system which the originator then promises to unlock upon payment.

Who is Affected?

Many businesses are at risk but three recent attacks on hospitals have put the global medical industry on alert. The highest-profile case was the Hollywood Presbyterian Medical Center in Los Angeles. The facility declared an internal emergency after a Ransomware infection was discovered in early February. The hospital eventually paid out 40 bitcoins (around $17,000) to reacquire control of its system.

Within a week, Lukas hospital in Germany was also hit. They did not pay the ransom as they had system in place to prepare for such malware attacks. They did wipe the affected systems and restore from backups; this led to cancelled appointments for patients and lost working hours for employees. Titus Regional Medical Center in Texas was another victim in January. The Center called in experts in data forensics to restore their systems; they did not pay the ransom.

Protecting Against Malware

There are simple steps that medical professionals at all levels can take to protect their systems against all forms of malware.

• -Invest in a good security system. Don’t cut corners financially as medical professionals handle sensitive data that require the highest levels of protection under HIPAA
• -Train employees on proper data protection paying particular care to the threats of malicious software and hacking
• -Should the worst happen, you need a back-up system. Regular archives should be kept in case of data loss by other methods – but particularly for malicious hacks
• -Finally, have you considered outsourcing your medical record storage and retrieval? Record Grabber is a dedicated service that keeps up to date records and have a high awareness level of ongoing and new threats to medical data

The HIPAA audit is almost upon us. Health and legal institutions across the country that handle patient records are preparing for a randomly chosen examination of data security policies and details. Record Grabber may or may not be selected for audit, and so will many of the organizations that we deal with every day. If you too are likely to be audited, then we have some simple tips for you to follow to minimize problems.

 

Keep Your Employees Security Training Up To Date

Many data breaches are a matter of human error, and simple errors of judgement at that. In a moment of thoughtlessness, an employee opens an email with malware attached, or fails to lock their computer screen while out of the office. These small incidents make up the majority of data security problems. Ensure your employees understand their obligations on data security and have a refresher course if necessary. It’s easy to become lax when so much else is going on.

 

Keep Your Network Security Up To Date

Whether you are a one-man band or large corporation, you need software to protect your network and the files stored on it against any form of attack. You also need to keep it up to date with the most recent virus signatures and upgrade the software package when it approaches obsolescence. This is an area where you should not cut corners; small companies are just as risk as big companies.

 

Risk Assessment

It is good business practice to conduct a risk assessment for personal safety in the workplace and you should already have one in place for data security. Risk assessments are designed to do exactly what it sounds like it is supposed to do – identify potential risks and problems. How might data be breached? What avenues are there to lose data? What can we do about each of those potential threats?

Breaches are not inevitable, but they are not rare either. It’s important to know what you and your employees should do in the result of a breach – no matter how small or large. As mentioned above, there are simple steps that employees can take to protect data, but even with the best training things can go wrong. A wrongly entered email address, a client changing postal address and you have not been kept up to date, can be considered data breaches. Everyone needs to know what to do.

 

In December 2015, the President signed into law the Cybersecurity Act of 2015. This act passed the Senate in October, cleared the House on December 15 and the President’s office three days later. What does this law mean for our clients? In this article, we present a brief summary.

Source: System Lock by Yuri Samoilov. Under Creative Commons (License Link)

What Is It?

Introduced into Congress in July of 2015, the then proposed Cybersecurity Bill was designed to improve cybersecurity standards across the country. This was to be achieved by enhancing the process of information exchange between private entities and government bodies. It also permits the sharing of information between the U.S. government and technology manufacturers and providers. It is designed, effectively, to create a network of communication for private and public bodies to work together to fight cybercrime and cyberterrorism.

What Does It Do?

The government and its supporters in industry expect that this new law will provide law enforcers and cybersecurity professionals with a number of measures to challenge and combat the growing global threat of cybercrime and cyberterrorism. Several high profile hacks occurred in 2015; the Ashley Madison hack was the most high profile but there were others including UK telephone service provider TalkTalk, the FBI Portal, Samsung and Hilton Worldwide were others.

In some cases, people had their private details made public. When hackers have broken into security systems of companies that hold confidential information, the agency or company attacked has largely been unable to share information due to data protection laws until now. It is incidents like these that Congress now believes government agencies and private business now have the tools and the power to prevent.

 

How Will It Affect Your Records?

Concerns have been expressed about this law regarding citizens’ privacy. It will not compromise data that we hold on behalf of our clients, but enables us better protect it. The Cybersecurity Act of 2015 permits private organizations and government agencies to share indicators and details of data hacks. Previously, we could not do this as just as the data itself was protected, so was the process of accessing the data. The law commonly known as “The Wiretap Act” prevented the release of this information to anybody.

We believe that this new law that gives us ability to share this data with the US government and other private organizations will lead to improved standards in the industry and communication between government agencies and private industry.

Harder than walking the high wire between the former World Trade Center’s twin towers is hip hopping through HIPPA to get hold of medical records.

A patient walks into a doctor’s office for the first time or winds up in the emergency room. Even if it’s for a routine checkup, what patient isn’t a bit on edge. And there’s added stress if a patient has a mild case of hypochondria. When the patient arrives, he or she is handed a clipboard with page after page of questions and forms to fill out. If a patient is like me, they don’t keep track of every procedure, ailment, and allergy they’ve had. They don’t keep track of the dates of their inoculations and their yearly flu shot (if they get one). Sure some people are always prepared and bring every tidbit of their medical history with them wherever they go, but that’s not the norm.

After they’ve gone through the long detailed questionnaire, they come to the consent forms and lastly, the HIPPA form. While there are no statistics available, I’m willing to bet that a patient views the HIPPA one of three ways: Without much thought, with too much thought and by rote. All three have the same outcome, essentially.

Without Much Thought

Even if one is paranoid, some folks, particularly the young and the healthy, really don’t give thought to who will have access to their records. Why should they? They’re more concerned about their lives, their careers, their social media accounts; not future medical complications that might arise. When they come to their HIPPA form they may most likely give permission to the first person that comes to mind at that moment.

With Too Much Thought

Then there’s the patient who gives too much thought to whom they will permit access to their records. They’ll run through the list of those close to them who they believe can be trusted and weigh the pros and cons of each person, finally settling on one or several persons they are ‘certain’ have their best interest at heart.

By Rote

Finally, there’s the seasoned patient who has the process down pat. This patient assigns HIPPA permission automatically. Most of these patients have ongoing medical conditions, long term partners and/or living wills.

Not Etched in Stone

Life is a crap shoot the outcome of which is seven, eleven or craps and not etched in stone.

As I mentioned above, these three methods of assigning permission have the same outcome. HIPPA is ETCHED IN STONE and as such is designed as a heavy, cumbersome law whose tenets can cause an immovable barrier to retrieving medical records for both the patient and the patient’s loved one who may have been overlooked on the many HIPPA documents a patient signs over the course of their life.

What’s not etched in stone are the lives of people. What if the patient or their assigned HIPPA proxy(s) move away, end their friendship or relationship, become a bitter enemy, file for divorce, die from natural causes or from Force Majeure? Those and the infinite other scenarios shatter the tenets of HIPPA either making it impossible to retrieve medical records or granting access to people who the patient deems should no longer have access to their medical records.

What patient keeps track of every HIPPA form he or she fills out? Let’s say there’s a divorce and it gets messy. The plaintiff (or vice versa) probably has access to the medical records of the defendant who may not want the plaintiff to have, yet the defendant may not remember every HIPPA for granting permission and the plaintiff now has ammunition against the defendant whether or not warranted.

What about all the other scenarios that can rear up and shatter the tenets of HIPPA?

The Professional HIPPA Dancer

Record Grabber is in the business of record retrieval and storage with an emphasis on medical record retrieval. While our main clients come from the legal, insurance and medical professions, Record Grabber is equally useful for the patient. Not only can Record Grabber retrieve all your medical records but we keep them stored digitally in a high security encrypted ‘vault’ that’s accessible 24/7 from anywhere worldwide.

Get to know us and the wealth of low cost cloud-based, retrieval services Record Grabber offers you. Take a couple of minutes to go through our website, www.recordgrabber.com. Then, sign up to become a professional HIPPA dancer. If you’re still not sure of the choreography and have more questions, email us at info@recordgrabber.com or phone us at (877) 800-1147.

Everything we do, from the method of storage to how our employees interact with data and take adequate step to ensure it complies with our obligations, is about protecting sensitive legal documents and patient information. We comply fully with HIPAA (Health Insurance Portability and Accountability Act) of 1996.

What Is HIPAA?

Passed by Congress in 1996, it specifies a number of issues on healthcare provision, covering such issues as what would happen in the result of a person losing their job, tax and administration. The Privacy Rule specified standards on how both hard copy and electronic data should be protected. In 2003, the Act was modified to include specifics standards for electronic data protection (The Security Rule), and it is this element of HIPAA that is most relevant to what we do. The Privacy Rule and Security Rules together define the legal obligations of all entities handling, collecting and storing patient data.

 

Legal Obligations of HIPAA

Information that is covered by the Security Rule and the Privacy Rule include:

• Any al all confidential information shared between medical professionals, or between any legal party, insurance provider and healthcare professional

• Conversations, including hard documents and emails, that any doctor has with any patient about treatment and care

• Any information stored in the computer system of insurance companies that pertain to patient care and health provision

• Billing information and details on financial transactions regarding a patient’s healthcare

• Any other information about a patient and his or her medical care that is held for any reason by others who are require to follow HIPAA, including legal and government entities

 

Information on Data Storage and Protection

All organizations covered by these Rules of HIPAA are required to put safeguards in place that protect highly sensitive information about health and healthcare provision. They are required to limit access to employees on a “need to know” basis in order to maximize compliance with the Rules. Access to patient records and legal documents should be treated with the utmost security to ensure continued protection.

Adequate steps must be taken to protect data from electronic attack or “hacking”, and bodies are also required to train employees in the proper handling and protection of data – to retrieve only necessary data and in of the proper disposal. Records must not be removed from designated areas and from buildings under strict guidelines on protection.