Confident female professional discussing in board room. Group of business colleagues planning together in meeting.

5 IT Policies Your Company Needs to Put Into Effect Today

As a business owner, you have a central role in your organization’s daily operations (including IT policies) to enhance its stability and growth. You create a vision, set goals, and define expansion opportunities. You also hire employees, partner with product suppliers and service vendors, and develop ties with customers.

These relationships are vital and rewarding, but they expose your business to a variety of risks. You face some level of liability every day. It’s critical to create policies and put them in writing to eliminate the possibility of detrimental events. 

What Are Policies?

Policies are guidelines that describe how an organization plans to tackle various eventualities. They communicate the vision and values of a business and inform workers what to do in certain circumstances.

Formal policies instruct employees on how to conduct themselves at work right from the onboarding stage. The staff can tackle problems proactively without a need for micromanaging. Policies smoothen business operations and save time and stress for management.

Relevant IT Policies for Your Company

IT audits find many businesses having ineffective, outdated, or no IT-related policies at all. The reason is usually the lack of a team dedicated to developing and enhancing procedures. 

The right policies for your business depend on your industry and practice. If you run a small or medium-sized healthcare business, below are some IT-related policies that you should have in writing.

Bring Your Own Device (BYOD) Policy

It’s usual to find employees using personal electronic devices like smartphones and laptops in modern workplaces. Organizations allow this practice for reasons like cutting costs and the convenience it brings to the staff. Sometimes, workers take corporate tasks home and handle them on their computers.

While this routine benefits your company, it can lead to cybersecurity and legal compliance concerns. Typically, a personal mobile device may not have sufficient protection against cyber threats. Hackers might access sensitive information or intercept data during transmission.

You might also break the labor laws unconsciously. The Department of Labor prohibits employing a worker for more than 40 hours per week unless you’re paying for overtime. Employees using personal devices after official hours could exceed this limit without your knowledge and get your business in trouble.

How a BYOD Policy Can Help

A well-crafted BYOD policy can define the minimum security requirements for an employee’s device to qualify for official assignments. You can require all employees intending to use their laptops or smartphones for business tasks to present them to your IT for security upgrades. The policy can also prohibit the use of personal devices for business-related activities off the clock.

Your BYOD policy doesn’t have to be intricate. It should only focus on the things that employees can or cannot do using their devices. You can develop your BYOD policy based on these samples.

Remote Workers Policy

Nowadays, a fine line separates corporate workplaces from home stations. Technologies like video conferencing have enabled workers to collaborate and achieve their roles in organizations remotely.

Remote work arrangements can be temporary or permanent. A remote work policy outlines when and how staff in an organization can work from locations other than the official business premises. If you are considering transferring your employees to teleworking, create a remote working policy first.

Cropped shot of a handsome young businessman sitting alone in his home office and talking on his cellphone

Importance of Remote Workers Policy

Teleworking is not suitable for all tasks. Therefore, some workers can work from remote locations while others have to be on site. IT challenges may arise in remote workplaces, like security breaches due to the use of home internet connections and devices. Workers can also get distracted when working from unregulated worksites.

Ensure your remote work policy outlines who is eligible for teleworking and who manages such staff. The terms should be fair for all employees to prevent discrimination allegations. To ensure productivity, indicate the working hours or the expected output for workers.

Highlight your company’s cybersecurity requirements. You can demand every remote worker to use company laptops or upgrade their devices to a certain level of protection. You can also direct employees to use your virtual private network (VPN) when accessing corporate systems.

While these guidelines will enhance your employees’ productivity, don’t forget to include their legal rights. You can search the internet for a remote work policy template to get you started.

Acceptable Use Policy

Digital technologies have made it easy to access information and disseminate it via computer networks. Technology is a business driver, but its uncontrolled use can have adverse effects.

You can gain some control over your staff’s online behavior by introducing an acceptable use policy. It outlines restrictions to the use of an organization’s technological infrastructure, including computer systems, networks, and websites.

Benefits of an Acceptable Use Policy

An acceptable use policy can prevent the following worker-related issues in your company:

  • Time wastage on browsing the internet
  • Irresponsible posts and comments on social media
  • Sending personal emails using company accounts
  • Exposing your systems to cyber threats
  • Unauthorized sharing of sensitive information
  • Infringing data privacy regulations

Components of an Acceptable Use Policy

Include a statement warning employees against unsafe use of email, social media, and the internet. Describe acceptable behavior in your company, like how users should log in and which websites they can open.

Similarly, outline unacceptable behavior. Examples include downloading indecent content, invading other peoples’ privacy, defaming or bullying others via corporate networks, and infringing privacy and copyright laws.

Conclude with how the company will punish anyone who violates the policy. See this sample for tips on creating an acceptable use policy for your business.

Patient Information Protection Policies

The HIPAA Privacy Rule is a national regulation that protects patients’ medical records and other health information. If your business deals with such information or you are a healthcare provider who transacts electronically, you should comply with HIPAA standards.

It doesn’t matter whether you transmit the data yourself or uses a third-party or a billing service. The transactions may be referral authorization requests, inquiries about insurance benefit eligibility, filing claims, and more.

Which Data Requires Protection?

Protected health information (PHI) is broad. It includes an individual’s demographic data such as name, date of birth, age, address, Social Security Number, medical history, etc.

The Need for HIPAA Privacy Policy

Non-compliance with HIPAA Privacy Rule can result in severe civil and criminal penalties. Here is a breakdown of fines for civil violations resulting from various behaviors:

  • Unintended infringement: $100 to $50,000 per violation, $25,000 maximum for repeated violations annually
  • Breach with a reasonable cause: $1000 to $50,000 per violation, $100,000 maximum for repeated violations annually
  • Negligence but violation corrected within the allowable period: $10,000 to $50,000, per violation, $250,000 annual maximum for repeated violations
  • Willful neglect and not corrected: $50,000, and $1.5 million annual maximum for repeated violations

Criminal penalties for offenders who knowingly disclose or acquire individually identifiable health information (IIHI) are a $50,000 fine and up to one-year imprisonment. Offenses under pretense attract a fine of $100,000 and imprisonment for up to five years.

Crimes related to the intention to sell, transfer, or exploit IIHI for personal or commercial gain or malicious damage are the worst. You may have to pay a fine of $250,000 and spend up to ten years in prison.

Every HIPAA covered entity should have complied with the privacy rule by April 20, 2005. Be sure to adopt proper and realistic policies and procedures immediately to meet the requirements.

Crafting Your HIPAA Security Policy

If you want to become HIPAA compliant, have a Privacy Officer to take care of sensitive data. The professional will identify all PHI and secure it with passwords and other data restriction policies. You can also limit the entry to the room where patient records reside.

Additionally, train your employees and partners about the importance of protecting IIHI. Let every stakeholder understand the rights of patients and urge them to respect them. Consider applying disciplinary action for individuals who act recklessly.

In case you partner with third parties who can potentially access PHI in your institution, ask them to sign business associate agreements. The contract should prohibit partners like consultants and vendors from leaking or misusing the data.

The best way to avoid HIPAA violations is to team up with a reputable managed IT services provider. The firm will manage and monitor your sensitive data and help you to stay compliant.

Incident Response Policy

Any entity that uses computer systems and networks is vulnerable to cybercrime. Incidents like data breaches can be exceedingly expensive. The consequences, which include fines and damage to brand reputation, can cripple your business. Develop an incident response policy to tackle cyberattacks.

Building an Incident Response Policy

Start by identifying the location of all your sensitive data and the available security infrastructure. Outline how your organization will monitor, detect, and report security incidents. For successful intrusions, describe how you’ll differentiate real and false threats and contain and neutralize them.

Your policy should have a follow-up plan. Provide a strategy for sealing loopholes to avoid future breaches, including updating your threat intelligence and incident response plan. Here’s a resource with more information about incident response policies.

IT-Related Compliance Jacksonville, FL

Many IT-related compliance issues can get your organization on the wrong side of the law. If you operate an SME in Jacksonville and the rest of Florida, our team at NetTech Consultants can help you. We offer first-grade managed IT services to protect your data and keep your business compliant day and night.

Contact us to discuss your needs.

Aerial view of crowd connected by lines

IT Off Boarding: Building an IT Action Plan for Workforce Reduction

When an employee leaves the company, a certain process must be taken to decommission them as an employee. Workforce reduction and offboarding is something that HR usually handles the majority of. Exit interviews, severance packages, and necessary organizational changes are all on the human resources side of things. However, in this day and age, the IT department is also part of the offboarding process. Employees are so hooked into the company data, often with personal accounts and authorized access, that they must be digitally disentangled from the company before they can safely leave.

Whether a person has been let go or is departing for another job, IT needs to walk through certain steps when the workforce is reduced. Each person who leaves the company must be removed from the system, their equipment returned and wiped, and their projects transferred to the team or supervisor they have been working with. 

IT Responsibility During Offboarding

Employees leaving the company means company data and access to company systems may be at risk. In a best-case scenario, employees leave under positive conditions and work with you to offboard themselves from the system. In a worst-case scenario, someone is asked to leave and might take retribution if allowed even one extra hour’s access to the company network and digital resources.

Companies must consult with their IT department to build an action plan in place both for damage-control off boarding and for collaborative off boarding.

The Basic Concerns of Safe IT Offboarding

  • Mischief and Retribution
  • Accidental Post-Employment Exposure
  • Legacy-Permission-Based Security Gaps

Make sure your action plan covers all your bases. The top three concerns for IT offboarding are mischief, accidental exposure, and legacy permissions. When an employee leaves against their will, you will need to take damage-control steps against mischief and retribution, cutting them off from company resources before damage can be done.

Ex-employees who still have access to company resources, say, on their phones could accidentally allow a breach if the phone falls into the wrong hands. Lastly, having an account that still has file permissions is leaving a loophole open for account-spoofing hackers.

Courtesy in the Face of Security

  • Access to Work Email – Limited to Internal Communications
  • Retrieval of Personal Files
  • Helping Coworkers Transition

For employees leaving on their own plans, you can take a different path. Assist the ex-team-member in transitioning their files and closing out their company email, while making sure there are no security gaps left behind when the process is through.

IT Action Plan When an Employee Leaves the Company

Assign an Exit Transition Rep

Choose one member of the IT team to interface with the employee, if necessary. In most cases, offboarding will be fast, smooth, with minimal messages. But sometimes things need to be handled personally. Having a different IT member answer each question or problem is a recipe for miscommunication and mess. Instead, assign an exit transit rep, one admin or IT department member to handle all communications and any guided transition for each employee who leaves the company

Determine the Risk Level

As we’ve discussed, there are two paths for digitally offboarding an employee. Someone leaving in friendly conditions can be helped to transition their files and authorizations to their team or supervisor, or successor, as they go. Someone who must be prevented from mischief or retribution on the way out needs to be blocked from this course immediately by cutting off their access to company resources and messaging before or at the same time as they are released from employment.

High Risk – Take Steps, Then Notify

If an employee might be considered a security risk on departure, HR needs to let you prepare for this maneuver ahead of time. Ideally, you will be able to coordinate closing access to accounts, data, and equipment with the employee’s exit from the workplace. This way, the employee can close their employment cleanly and without the risk of a security breach.

Low Risk – Notify and Work Together on Transition

For employees who take part in their exit and transition plan, build a protocol to assist in the closure.  Let the employee know during their last two weeks what steps they can take to hand over their files, data, projects, and equipment. This way, you’ll have everything ready to close accounts and change the passwords on their last day.

Group of people working in a modern board room with augmented reality interface, all objects in the scene are 3D
Group of people working in a modern board room with augmented reality interface, all objects in the scene are 3D

Protect Access to Company Data

  • Change All Company Passwords and PINs
  • Remove Employee from All Files and Work Groups
  • Remove Employee Cloud Access
  • Cancel Access to Company Accounts
  • Disable Employee Personal Device Authorization

Employees have exclusive access to files, data, platforms, group projects, and company resources. They may also have access to or control key company accounts. It is essential that every ex-employee be completely scrubbed from data access through all relevant vectors when working with workforce reduction.

Start by changing all the passwords. It’s best to change passwords company-wide with the assumption that the employee could have gained access to additional or non-essential codes. Change the PINs as well.

If you control data access through account authorization, de-authorize the ex-employee’s accounts from everything. Do not leave a hanging permission for an unused account, as this can be dangerous. Make sure all dormant or canceled employee accounts have no permissions or authorizations. If the employee has a company account or personal email access to your cloud platform or third-party services, remove them for workforce reduction.

Lastly, make sure this ex-employee’s personal devices are no longer authorized to access the company network or software. At the same time, make sure they’re removed from alerts and messages once they’re out of the workplace.

Considerations for Inaccessible Backups

Some employees will have local backups of company information on their personal devices. This is usually active or references material like project work-product or paperwork that’s been managed recently. However, Git backups tend to be more complete. Consider your plans for dealing with backups that you cannot access, retrieve, or delete when dealing with workforce reduction. There is not currently a best-practice for this but your company should be aware of the possibility.

Close Out the Employee Email Address

Low Risk

  • Limit Company Email Address to Internal-Only Messaging
  • Set Up Appropriate Email Forwarding
  • Enable Final Document and Project Transitions
  • Replace Employee in Email Lists
  • Disable Employee Email Address

High Risk

  • Disable Employee Email Immediately
  • Replace Employee in Email Lists
  • Forward Inbox to Company Alternate

When the employee is done with the role, make sure their email address is deleted or permanently deactivated. This is a multi-step process that must be done with low-risk vs high-risk considerations. In both cases, you will need to redirect emails to new employees or to the ex-employee’s personal account. In both cases, you will need to replace the ex-employee’s email in any mailing lists and subscriptions for the company. You will also want to set up an “away message” and redirect service for incoming messages.

In a low-risk situation, work with your employee to transition their email incoming and outgoing. In a high-risk situation, cut off email immediately so that no false or unpleasant messages are sent in response.

Retrieve Company Devices

  • Arrange for the Return of Company Devices
  • Backup Work Data
  • Wipe Clean all Devices

If the employee has been using company-provided devices, IT is responsible for recommissioning them. You might also be responsible for retrieval. In a low-risk situation, advise the employee to remove and save their personal files and to get their projects ready to hand-off to a coworker. Then arrange the return of the devices. In a high-risk situation, try to reclaim the devices on the same day or slightly before the employee exits the workplace.

When you have the devices, back up any important information for transition and then wipe each device back to factory settings. They can be repurposed from there.

Correctly Transition Employee Data

  • Only Keep Relevant Data
  • Prevent Malware Transmission
  • Prevent Saving Duplicates
  • Sort Employee Data Back Into Shared Resources
  • Make Data Available to Supervisor and/or Team

Now you need to work with the employee data. Do not simply hand the saved hard drive to the ex-employee’s supervisor. This can result in inefficient data referencing as “G’s old Drive” becomes a ghost-location for files.

Instead, sort and reassign all data within. Start by making sure no potentially infected files made it through the previous clean sweep. Then grab only relevant data, avoiding saving Git backups of duplicate data. Transfer the employee’s sorted data into the correct channels of public resources, group projects, or files that go to their supervisor. Make sure the ex-employee’s supervisor and team can access anything they need of the ex-employee’s files.

Craft Your Action Plan for the Company IT Infrastructure

IT off boarding and workforce reduction is more demanding than ever, and exceedingly necessary with data breaches in the spotlight. By having an IT action plan for workforce reduction, you ensure that each time an employee leaves your company, they don’t leave with mischief or security breaches in their wake. For more insights into optimizing your IT security and strategies, contact us today!

The 9 Most Common HIPAA Violations in 2019 and How to Prevent Them

HIPAA violations are common occurrences throughout the medical industry. Inadequate security protocols, failure to perform comprehensive risk audits, and human error are just a few of the many contributing factors that result in breaches of HIPAA regulations. 

The following information discusses 9 of the most common HIPAA violations that occurred in 2019, the potential damage they can do to an organization, and how you can reduce the risk associated with each one – or even prevent it altogether.

Record Snooping

HIPAA’s Privacy Rule only permits access to patient health records for a few specific reasons, such as treatment, payment, and healthcare operations. Any other reason for access on the part of a healthcare provider or employee is invalid, and considered to be a violation of patient privacy.

Sadly, “record snooping” is one of the most common HIPAA violations that occur today. Unauthorized employees will often look through the records of friends, family members, neighbors, colleagues, and even celebrities. If such violations are uncovered, they typically lead to the immediate dismissal of the guilty employee, and sometimes result in criminal charges.

They may also result in stiff financial penalties for the organization involved. For example, the University of California Los Angeles Health System was fined $865,000 for its failure to restrict an unauthorized doctor’s access to the confidential medical records of certain celebrities.

In order to prevent record snooping, it’s important that you set up adequate security controls that restrict general access to patient records, even among employees. This could include advanced password protection for electronic protected health information (PHI), or logging requirements that mandate documentation for each time a record is accessed.

Failure to Perform and/or Act Upon a Risk Analysis

Many organizations neglect to perform a comprehensive, enterprise-wide risk analysis. They are thus unable to pinpoint vulnerabilities in their security system or confidentiality process. Other healthcare providers do undertake a risk analysis, but fail to act upon the insights gleaned from the audit — or they wait to address pressing issues until it is too late.

An organization-wide risk analysis could uncover any number of flaws in current security measures, such as network vulnerabilities, weak authentication protocols, or even a general lack of effective training. (For instance, one study found that 36% of medical office professionals don’t have a clear understanding of HIPAA regulations.)

There could be harsh fines associated with failure to perform or act upon an organization-wide risk analysis. In order to avoid these penalties, as well as any loss of credibility, you should either implement an in-house risk analysis ASAP, or contract with a reputable 3rd party auditor to perform the task for you. Then, once the results of the audit are in, prioritize action items by order of importance. Though these steps involve an upfront investment of time and resources, they can prevent many problems in the future.

Failure to Enter Into a HIPAA-Compliant Business Associate Contract

A healthcare provider’s business associates typically include a number of vendors that are given access to PHI. If agreements with these business associates do not include HIPAA-compliant language and clauses, then the organization may be vulnerable to penalties for HIPAA violations. 

It is also important to note that older business associate contracts may have been HIPAA-compliant at one point, but may not currently be so — especially if they went into effect before the 2013 Omnibus Final Rule from the HHS. Negotiated settlements for such HIPAA violations have ranged from $400,000 to $1.55 million.

In order to prevent heavy fines from a non-compliant business associate agreement, it is important to revise any contracts that went into effect pre-2013. With regards to new agreements, follow the guidelines posted by the HHS as to the appropriate language and clauses to incorporate into any contract.

hipaa violations jacksonville it company
Hipaa Violation text on Document and gavel isolated on office desk.

Inadequate Access Controls for ePHI

In past decades, much Protected Health Information could only be accessed via hardcopy, which was both less convenient and in some respects more secure than today’s electronic access points for PHI. Nowadays, of course, it would be very difficult for healthcare providers and medical office professionals to do their job without the ability to digitally access necessary patient information.

Nevertheless, the HIPAA Security Rule requires that both covered healthcare providers and their 3rd party business associates implement access controls for ePHI, so that only authorized individuals can get in. Failure to integrate such access controls into organizational infrastructure is one of the more common HIPAA violations uncovered by the Health and Human Services office and state attorney generals each year.

In order to avoid the heavy fines associated with unauthorized ePHI access, ensure that your organization has robust information system monitoring protocols in place. Explore different security measures, such as 2-step authentication, and determine which ones will maintain HIPAA compliance without being an excessive burden on authorized employees.

Failure to Use Encryption or an Equivalent Security Measure

Data encryption is one of the most common and effective ways to prevent serious information breaches, such as unauthorized access to PHI. Encryption is such a powerful security measure that breaches of encrypted health information are not considered reportable security incidents unless the encryption key has also been taken.

Granted, encryption is not mandated under HIPAA regulations. However, if a company does not utilize encryption as a security measure, then it must implement an equivalent method. For example, pseudonymization is an acceptable alternative to data encryption, and with proper planning can be considered both GDPR and HIPAA-compliant.

Failure to use encryption can lead to serious penalties. For example, the Children’s Medical Center of Dallas paid out $3.2 million of civil fines for faililng to address known security risks, such as no data encryption on portable devices. To reduce the risk of data breaches, make sure that you use encryption techniques, or a robust security alternative.

Impermissible Disclosures of PHI

Impermissible disclosures include a broad range of HIPAA violations. Any disclosure of PHI that is not permitted under the HIPAA Privacy Rule falls under this category. Such violations could include:

  • Improper disclosure to a patient’s relative, friend, employer, etc.
  • Potential disclosures resulting from the theft or loss of portable devices that carried PHI
  • Potential disclosures from careless handling of PHI
  • Unnecessary disclosures
  • Disclosing PHI after patient authorization has expired

Impermissible disclosures can result in millions of dollars’ worth of civil fines. In order to reduce the risk of impermissible disclosure, train your employees that handle PHI, especially on portable devices, as to security best practices (e.g., not leaving a laptop unattended in a public setting, always locking the computer screen, and so forth). In addition, make sure that there is a process in place, such as a checklist, to ensure that a disclosure is permissible before giving out the information.

Denying or Delaying Patient Access to Health Records

HIPAA regulations give patients the right to access their medical records, as well as obtain copies on request, in a timely and expedient manner. Companies that deny patients access to their own records, overcharge for copies, or neglect to provide requested copies within 30 days are in violation of the HIPAA Privacy Rule.

Denial of patient access can lead to stiff civil fines. For instance, Cignet Health of Prince George’s County was fined $4.3 million for denying patients access to their own records. While historically this is not a common HIPAA violation in terms of financial penalties, since 2019 the Office for Civil Rights has started to crack down on this aspect of non-compliance. 

In order to avoid a similar penalty, it’s important that you establish clear procedures for responding to patient requests within the 30-day timeframe.

Failure to Issue a Data Breach Notification Within 60 Days of Discovery

According to the HIPAA Breach Notification Rule, covered entities must report data breaches that affect more than 500 people without “unnecessary delay,” and no later than 60 days following the discovery of the breach. Exceeding the 60 day deadline is a common HIPAA violation, and can lead to a heavy financial penalty.

In order to prevent this from occurring, make sure that relevant breach details are transmitted to the OCR, that the breach is reported to a major media outlet that serves the area affected by the breach, and that notification is posted on the company website.

Improper Disposal of PHI

According to HIPAA regulations, both physical and electronic PHI must be properly disposed of after their retention periods have expired. For hardcopies, this typically involves shredding or pulping; for ePHI, the disposal process could involve degaussing, secure wiping, or destruction of the portable device on which the ePHI is stored.

As with the other HIPAA violations mentioned above, improper or incomplete disposal of PHI could result in unauthorized disclosures, and stiff financial penalties. You can reduce the risk of data breaches resulting from improper PHI disposal by using appropriate and comprehensive disposal methods for each form of expired PHI in your database.

The 9 violations discussed above are just a sampling of the many ways that HIPAA rules could be broken. One way to help mitigate the risk of HIPAA violations is to partner with a reputable IT services provider – one that can help you manage your sensitive data, and remain HIPAA-compliant. If you’d like to learn more, reach out to NetTech Consultants today.

nettech consultants blog jacksonville fl

Welcome To The NetTech Consultants Blog

It’s our pleasure to welcome you to the NetTech Consultants Blog. NetTech has been a staple IT Company in the jacksonville area since 1995. As we’ve grown and served many clients over the years we’ve accrued quite a bit of knowledge about how to keep IT operations running smoothly, and how to leverage IT as a strategic asset to your business. This blog is our chance to give back some of that knowledge by creating a repository of resources to help you get armed with the knowledge necessary to improve your operations, leverage the help of the right IT partner, and manage the cyber risks in the small business landscape.

Continue reading