4 HIPAA Violation Cases and What Companies Can Learn from Them

4 HIPAA Violation Cases: Cautionary Tales for Businesses

Do you have a company dealing with patient health data? If yes, you need to seriously think about HIPAA compliance. Check out these HIPAA violation cases to know what you’re in for if you don’t comply with HIPAA’s rules.

The Health Insurance Portability and Accountability Act (HIPAA) created a standard for how medical information can be stored and accessed.

Breaking this law can have serious consequences, including jail time and massive fines. As you’ll soon see in these HIPAA violation cases, it’s easy to overlook things that are actually serious violations.

Keep reading to find out what you can learn from these four cases to avoid becoming a cautionary tale yourself.

1. Train Employees

It can’t be stressed enough how important it is to make sure every employee is trained to avoid HIPAA violations. And, it’s not enough to have them read over the guidelines on their first day.

Ongoing HIPPA training will help prevent violations as these regulations will be consistently in the front of their minds. In addition to training employees, having a system in place that instantly catches violations will help prevent things from going too far.

This lesson was learned the hard way by a clinic located in Virginia. When a high-profile patient came in, 14 of their employees couldn’t resist checking out the electronic file. However, because of the logging system in place, all of these improper logins were caught and the employees were promptly fired.

2. Consider Waiting Room Design

HIPAA compliance starts in the waiting room. One private practice was investigated after a violation and had to completely change the way their waiting room was set up.

The first lesson to learn here is in regards to the position of the computer monitors. They should not be placed in such a way that any patients or other visitors can see them at any time.

Additionally, any conversations that could reveal what a patient has come in for needs to happen in privacy. In this violation case, a staff member told a waiting patient about HIV-testing procedures in front of other patients.

3. Keep Track of Data Storage Devices

The best way to avoid a HIPAA violation because of portable devices is to keep data from being stored on anything like a laptop or flash drive. These are easily stolen and if that happens, it will result in a severe HIPAA fine.

A cardiac monitoring device vendor settled with the Office of Civil Rights (OCR) for $2.5 million after a laptop that had hundreds of patients records was stolen from their vehicle.

Another similar incident occurred in a private practice when a flash drive was misplaced by an employee at a dermatologist office. They had to pay a $150,000-fine and change policies regarding portable storage devices.

4. Don’t Allow Professionals to Treat Acquaintances

When a close friend or family member is at risk because of a patient, it may prove to be too strong a temptation for those treating them. That was the case with one such nurse in New York.

After her sister-in-law’s boyfriend was diagnosed with an STD, she couldn’t help but to warn her sister-in-law about it. It cost the nurse her job, and the clinic is still in litigation with the patient whose confidentiality was violated.

Takeaways from These HIPAA Violation Cases

Hopefully, you picked up a few tips from these HIPAA violation cases so you can avoid making the same mistake in your own health-related business. Here are the tips in review:

  • Provide ongoing training for employees
  • Position computer monitors so patients can’t see them
  • Don’t discuss procedures or patient information in the waiting room
  • Don’t use portable storage devices
  • Avoid allowing nurses and doctors to treat people they know

For more help in keeping your practice or business HIPAA-compliant, contact us today!

Preparing for the Unexpected: 5 Things Your Disaster Recovery Plan Must Cover

Preparing for the Unexpected: A Disaster Recovery Plan Checklist

No business owner should leave things to chance and just hope that a natural disaster won’t hit his/her business. If you want to cover your bases, you should invest in risk management and have a disaster recovery plan in place. Find out how to devise a DR plan checklist here.

Unfortunately, natural disasters happen when people least expect it. If you are a business owner, you know that a power outage has the potential to be disastrous.

Investing in risk management and covering your bases beforehand will help avoid mass chaos and panic in the long run.

Here are some things you should have on your disaster recovery plan checklist.

Your Disaster Recovery Plan Starts With a Trustworthy Source

The first thing on your disaster recovery plan checklist should be to find a trusted IT partner to help you through this process.

Immersion Security has a lot of experience in risk management.

These professionals will work on identifying any potential threats and will also develop and put in place the recovery plans.

Some tasks and assessments that your source can help you with would be:

  • Vulnerability Scans
  • Risk Assessments
  • Risk Remediation
  • Risk Management Program Design

The process of creating a disaster recovery system can be intricate, so it is best to contact the professionals for a foolproof plan.

Know Your Important Data

When disaster recovery planning, it is crucial to understand where your high-value data is and what that means for your specific business.

This high-value data would be any sensitive customer information. This data could also be files that you frequently use on a day-to-day basis.

It might be helpful to create a hierarchy system of data for your business which shows you what is the most important to least important data you have stored.

The hierarchy that you think up will show you which type of data is what you will most want to consider protecting because it is the most critical.

What is Your Ideal Recovery Time?

Every business is different; therefore every recovery plan is different including the recovery time.

You will need to decide how quickly you would ideally want/need to have your data back up and running for your business.

For example, the least expensive option (storing data offsite) often be the one that takes the most time.

Other things to consider that will affect recovery speed is is the data would be stored onsite or in the cloud or if you use a tape or a disk.

Whatever you choose, use the system that provides your business with the optimal recovery time for your budget.

Make Updates Accordingly

As your internal systems data changes, so should your data recovery system.

Not updating your recovery system is a common mistake that can cost you big.

These changes include any major software updates, new technologies, or updated algorithms.

Practice, Practice, Practice

While having a disaster recovery plan in place is admirable, the only way to know if it works as it should is to test it out.

Implement practice procedures and do regular testing to make sure that everything is performing as it should.

Be Prepared

Using these disaster recovery plan tips can help your business in its most desperate time of need if it comes down to it.

Immersion Security will help keep you secure from any cybersecurity threats.

Take a look at our blog for more business cyber security tips and advice.

Vendor Risk Management: Why You Need to Think About Third-Party Cybersecurity

All About Vendor Risk Management: How Secure Are Your Vendors?

You might be investing a lot in your own company’s cybersecurity. But are you taking steps to ensure your vendors aren’t putting your business at risk? Let’s talk about vendor risk management and why vendor security is a must.

Around 46% of Americans have been victims of credit card fraud. Protect your business and all of your sensitive information with vendor risk management.

Nearly half of all credit card fraud (47%) happens in the United States. Unless you’re taking extra steps to protect your sensitive data, you’re at risk for a security breach.

Here’s what you should know about working with 3rd party vendors and being safe:

What is Vendor Risk Management?

Vendor risk management involves identifying and decreasing legal liabilities and uncertainties in business. It also entails managing how third-party vendors deal with sensitive information.

Sensitive data is transmitted and processed on company and vendor networks. When you hire a 3rd party vendor, all of this data is processed and saved on their database, even if they don’t create a back-up.

Sensitive information like credit card numbers, passwords, and social security numbers don’t simply linger in a database. This data gets transmitted to other areas. For instance, data often gets transmitted to logging servers.

Implementing vendor risk management policies lessen the likelihood of sensitive information getting abused.

Develop a Strategy

Vendor risk management involves vendor risk assessment. Only get involved with honest, trustworthy vendors. Develop a set of questions vendors must answer to assess their risk level.

A good strategy always has a contract that details the business relationship between the organization and the business. Your contract should have stipulations that vendors must meet to ensure high-quality performance in maintaining cybersecurity. Their performance should be regularly monitored.

The vendor agreement should have guidelines explaining who has access to what information. There should also be explicitly stated rules against abusing this information.

Choose and Monitor Vendors Wisely

All vendors should meet stipulations that comply with the regulatory guidelines of your industry. How vendors are meeting these stipulations should always be monitored.

For instance, if your vendor has a 10% failure rate in internet software patching, can you really trust them with sensitive information? Research vendors thoroughly and don’t be afraid to ask questions.

Your vendors should have a security policy and procedures that extend beyond the bare minimum. Without written policies, security risk assessment is left to individual interpretation.

Look out for vendors who’ve gained special recognition for their security practices. This includes awards and certifications from organizations like Service Organization Controls (SOC) and the Health Information Trust Alliance (HITRUST).

You should always verify that your vendor conducts regular information security risk assessments. Security risk assessments should evaluate the likelihood of risks and their impact, implement changes to fix the risk, and document those changes afterward.

Encrypt Data In Transit

Encryption protects data by making it unreadable without a password.

Sure, it’s easy to claim data is encrypted when it’s on the server, but what about in transit? Third parties vendors should be encrypting sensitive information while it’s being transmitted to another server.

Ask vendors specific questions about how they protect data in transit in certain situations. Make sure the keys used to encrypt the data are highly protected.

Keep Your Data Safe and Secure

Nearly 76% of all IT security breaches are money-motivated. Save yourself money and time with vendor risk management.

Give yourself some peace of mind and learn more about cybersecurity. You’re better off safe than sorry.

How to be PCI Compliant: Top 5 Dos and Dont’s

No matter how small or big your business is, if it accepts, stores, and transmits credit/debit card data, it must be PCI compliant. Lucky for you, we’re breaking down everything you need to know about how to be PCI compliant.

In today’s environment, no one can afford to play fast and loose with sensitive data. In 2017 alone, data breaches cost American companies 7.35 million dollars.

This is what the Payment Card Industry Data Security Standard (PCI DSS) is for. Credit card data is often targeted by data thieves, and IT companies that handle it need to follow special precautions.

While following these regulations may seem like a headache, it’s much more costly to suffer a data breach. In fact, non-compliance can cost an organization up to $500,000 per incident.

Check out this guide for more details on how to be PCI compliant.

1. Do Use a Secure Network

The first step in building a secure network is to create and install a firewall configuration system unique to your company. There should be a clear policy and configuration test procedure that is regularly updated. Maintaining these firewalls is best practice for maintaining PCI compliance.

Don’t use system passwords provided by software vendors. Instead, make sure to create passwords unique to your organization, managing their use regularly.

2. Do Protect Data

Companies that do not store data are saving themselves a lot of work when it comes to PCI compliance.

If you do store data, you need both virtual and physical protection from your hosting provider. Virtually, make sure they have several layers of protection that include passwords, authentication, and authorization.

Physically, your private data hosting provider should securely store their servers. This means housing the equipment in a locked environment.

3. Do Use a Vulnerability Management Program

If managing your own private data, anti-virus software is a must. As with all software, it needs to be regularly updated.

If outsourcing your data storage, make sure the company keeps audit logs of their system checks. You can ask for these regularly to ensure the company is responsibly handling the data.

Security vulnerabilities are an inevitability. This is why your system should regularly identify them so they can be properly addressed as they occur. Alert systems should be in place to do this.

4. Do Have Strong Access Control

Having strong access control means limiting access to protected data. This will limit the potential for mishandling and misusing that data.

Those with access should have user accounts with password encryption, regular password updates, login time limits, and other authentication procedures.

The physical environment holding the sensitive data needs entry authentication and thorough surveillance.

5. Do Have an Information Security Policy

Work policies must reflect PCI compliance, and employees should be knowledgeable about them. These policies should discuss how employees should and should not use company technology. They should also detail security procedures.

In addition to sharing the content of the policy, the company should review it with staff. Quality checks of policy adherence can help with data risk management.

More on How to Be PCI Compliant

In our increasingly digital world, PCI compliance is more important than ever before. Unfortunately, PCI compliance is a complicated task and many businesses struggle to meet it.

To learn more about how to be PCI compliant, check out our blog page.

The Importance of Having a Security Incident Response Plan

Having a Security Incident Response Plan is a Must for Businesses

Having a system in place for preventing cyber attacks is not an option for businesses. It’s a must. Part of that is having a security incident response plan at the ready in case prevention methods fail. Let’s talk about what it means to have an incident response plan & how you can go about making one for your company.

60% of businesses that experience cyber attacks will go out of business within 6 months.

Because they don’t prepare for it, is the reason the majority of business go out of business after a security breach. Not only are they unable to protect their company from an attack, but they can’t control the damage either.

With technology always advancing, different types of cyber attacks are a common occurrence for small businesses.

This is why it’s so important to have a security incident response plan in place in case a cyber attack does happen. In this blog, we’ll discuss the different aspects of security incident response that you should plan for right now.

Important Aspects of Your Security Incident Response Plan

Cyber attacks happen often, especially if you don’t have a reliable risk management company protecting your business.

This means you need to have a solid plan in place that will minimize the damage and potentially save your company from going out of business.

Plan of Action

You need to create an initial plan of action that will go into effect right when you learn of a cyber attack.

First, you need to find the source of the security breach. Then you need to see how far into your system the breach has spread. Finally, you’ll stop it from further spreading, and eliminate the cyber threat.

Then, you’ll want to switch to backup servers so you can continue working safely and obtain any info you need from these servers.

Notify Customers, Clients, and Partners

Once the security breach has been taken care of, you need to notify everyone that could have been affected by the cyber attack.

If your system containing client information, they need to be made aware that their information could have been stolen. This will allow everyone affected to take the necessary steps to protect themselves from any further harm.

Gather Forensic Info

Once the threat has been eliminated and you’ve moved to backup systems, you’ll want to investigate your affected servers.

You need to try and gather as much information about the cyber attack such as how it happened and where it originated.

Once you’ve gathered all of the necessary information, contact the authorities so they can try to find out who conducted the attack.

Hire a Cyber Security Company

The best way to prevent another cyber attack is by hiring a cyber risk management company that will give your systems the protection they need.

The last thing you want is to suffer back-to-back cyber attacks because you didn’t change your security approach. Customers may be forgiving after one breach of security, but you’ll almost certainly lose them after a second cyber attack.

For More Information

If you want to decrease the risk of your company failing due to suffering from a cyber attack, you need to have a security incident response plan.

This plan should consist of a plan of action, notifying the people affected, gathering info, and ultimately hiring a cyber risk management company.

For more information on how you can help protect your business from cyber attacks, please contact us today.

How to Prevent Data Breaches to Protect Your Business

The last thing you want is for a data breach to happen on your watch. But preventing data breaches can only be done when you have a solid plan. This guide will show you how to prevent data breaches to protect your business and clients.

When it comes to keeping your data safe, we have some bad news and good news.

First, the bad news. According to Verizon, there were over 53,000 incidents and more than 2,000 data breaches within the past year. To make matters worse, these numbers are only expected to rise in the coming years.

So what’s the good news? Your business doesn’t have to fall victim to cybercrime.

Here are some tips on how to prevent data breaches at your workplace and strengthen your team’s cybersecurity effortlessly:

Restrict Download and Website Access

Recent phishing scams are a great example of how cybercriminals are getting smarter every day. Take, for instance, the recent outbreak of fake Apple emails.

Users would receive an email stating that their Apple ID was compromised, with instructions to click a link to recoup their lost access.

However, once the unlucky recipient clicked on the embedded link and “changed” their account info, hackers could then access their Apple account information. That includes their credit card information.

It became such a problem that Apple had to get in front of the problem and create a guide to help users determine what was and wasn’t a legitimate email.

So how does this pertain to your workplace? Well, most scams aren’t always obvious. Even a tech-savvy individual could fall for a fake email if the sender’s address looks legit.

Improving your office’s web security can prevent employees from accidentally exposing important information. Restrict access to downloads (unless absolutely necessary) and keep an eye on your business list of trusted websites.

Educate Your Team on Cybersecurity Protocol

As the saying goes, the best type of offense is a great defense. Even if you have a great IT team, data breach prevention starts with employee education.

Once per quarter or so, gather your employees and brief them on cybersecurity trends. Include common types of scams as well as information on how they, as employees, can keep data safe.

Even if your meeting is brief, stress the importance of keeping company data secure.

This includes routinely checking password strength. If your employees are using weak passwords, they’re putting your entire system at risk.

Encourage employees to create complex passwords with alphanumeric and special characters.

Create a Breach Response Plan

What would you do if your company suffered a data breach at this moment?

If you don’t have an immediate answer to this question, it’s time to put together a data breach protocol plan.

Come up with an extensive strategy for how to handle the very real possibility of a data breach. Even if you never have to use this plan, just having the resources and information at your disposal can put your whole company at ease.

Learn How to Prevent Data Breaches

Want more specifics on how to prevent data breaches? Get in touch with our team at Immersion Security.

We’re dedicated to keeping your data right where it belongs. A few minutes of your time could save your business millions of dollars.

    Immersion Security

    Providers of vCISO (Virtual Chief Information Security Officer), Secure MSP (Managed Service Provider), Compliance and Consulting.

    Immersion Security is a team of dedicated cyber security experts and researchers who are dedicated to bringing the best and most up-to-date information, technology, and practices to your business.


    37 N. Orange Ave.
    Orlando, FL 32801