The State of Security, Privacy & Compliance
In This Issue
243 Charged for Medicare Fraud
OCR's New Privacy Deputy Director
New Infographic on Business Associate Risks
CTek Named in Data Security Report 2015
Tactics to Prevent Phishing Attacks
CTek Leadership Team Expands
Security Q&A
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us


July 2015

Did you keep up with what was happening around the industry this past month? CynergisTek's July edition of The State of Security, Privacy & Compliance features highlights of recent happenings, including changes at OCR that went into effect this week and recent schemes causing $712M in Medicare fraud. This month also features some a few CynergisTek updates and our latest infographic on the risks associated with using third party vendors. 


Top Articles From June
Enforcement: 243 Charged in $712M Medicare Fraud Scheme
HHS and FBI officials released a joint announcement stating that 243 individuals (including 46 doctors, nurses and licensed medical professionals) are being charged for schemes that totaled $712 million in false billings. This is the largest takedown in the history of the Medicare Fraud Strike Force in terms of loss amount and number of individuals involved. 

The defendants participated in the alleged schemes by submitting false claims for treatments that were medically unnecessary and often never provided. In many cases patient recruiters, Medicare beneficiaries and other co-conspirators were allegedly paid cash kickbacks in return for supplying beneficiary information.

CynergisTek's Mac McMillan points out that this should serve as a wake up call to any healthcare professional that participates in fraudulent and criminal activities. It is also a good reminder as to why organizations need analytical tools that can proactively monitor and detect inappropriate behavior.
aOCR Adds New Privacy Deputy Director
The Office for Civil Rights (OCR) announced that Deven McGraw joined OCR and began her role  as Deputy Director for Health Information Privacy on June 29th. In this role, she will spearhead OCR's policy, enforcement and outreach efforts of HIPAA Privacy, Security and Breach Notification Rules. She will also lead OCR's efforts to work on presidential and departmental privacy and security priorities. Previously this position was held by Sue McAndrew, who retired over a year ago. 

CynergisTek's CEO, Mac McMillan, and David Holtzman, VP of Compliance and a former OCR advisor, provided a few thoughts and insight on the announcement that we'd like to share with you. Both have worked with McGraw in the past and think that she is a great fit for this role. McGraw  brings a tremendous wealth of thought leadership on privacy issues and the role that HIPAA rules should play in the development of health information exchange, as well as how the Internet of Things impacts health information privacy and security. McMillan also points out that OCR will benefit from her ability to objectively evaluate how OCR is handling its enforcement and guidance responsibilities. 
bInfographic: Business Associate Risks in Healthcare
Did you know that business associates' inadequate security precautions is the single largest threat to covered entities? Unfortunately, m any business associates are still not practicing proper security methods, putting themselves and the covered entities they serve at increased risk. Our latest infographic highlights the risks associated with business associates along with examples of recent breaches that occurred at a business associate.  Download our latest infographic to learn more.
cCynergisTek Named Data Security Market Share Leader 

Healthcare Data Report 2015 named CynergisTek as a vendor often turned to for data security help. The report is based upon surveys of over 200 CIOs, IT Directors and Managers, Security Manager/Director and other VPs from various hospitals across the U.S. The research took a deep dive into the challenges and priorities of providers' information security programs.


Some of the key findings include that nearly half of the hospitals surveyed have multiple roadblocks hindering information security, with the most common being lack of budget and employees that don't comply with policies and procedures. It also found that most of the c-suite and executive staff believe that threat prevention is impossible. Some of the top priorities to improve data security cited in the report include mobile device management, intrusion detection/prevention, data loss prevention and mobile device encryption.

The survey also determined what vendors were market share leaders that providers turn to for help with data security. CynergisTek is proud to announce it placed in many different categories.

dDon't Click That Link! More on Phishing
Phishing scams that cause a breach at healthcare organizations will continue to make headlines as long as the industry continues to be highly sought after by hackers. Recently, the American Osteopathic Association featured David Holtzman's tactics of  how to avoid a phishing scam . The tips are simple, such as not clicking on links or attachments if you don't recognize the sender, but consistently reminding staff of these tactics is the key to shutting down phishing attacks. Be sure to remind your staff of all of the tips provided in the article. 
eLeadership Team Expands by Adding Adam Hawkins as VP of Sales
CynergisTek's leadership team continues to grow as the need for privacy and security services grows. Effective July 1, 2015, Adam Hawkins joins the leadership team as Vice President of Sales and Marketing. He will be responsible for the sales and marketing operations at CynergisTek, as well as the strategic planning, development and implementation of the company's Managed Services and Vendor Security Management offerings. In addition, Adam will continue to ensure a high-level of support is maintained across the company's client base of healthcare provider organizations. Adam originally joined CynergisTek as Director of Client Services in 2012, and was an integral part of developing a highly successful sales team as the company restructured its sales and marketing efforts from the  ground up.
fSecurity Q&A: What Technical Controls You should be Implementing
This month's Q&A is a security related question that we often hear while working closely with healthcare organizations. 

Certain types of information such as ePHI and other sensitive organizational data needs to be protected more strictly than standard data types. What technical controls should I implement to enhance the protection of this data and how can I find out where this data is in my environment?

Ultimately an organization must know the storage location and data flow of ePHI and other sensitive data to properly implement the technical controls necessary to protect this data and provide enhanced protections. Most organizations consider ePHI and other sensitive data to be everywhere in the environment. These data types should be protected using additional security controls such as full disk encryption, secure communication methods, and strict access controls. Audit logging requirements for systems that contain these data types must be configured to specifically capture all access attempts and actions that occur on these elements. For example, implementing access control lists or firewalls between network segments creating security zones will allow any organization to restrict access to only authorized workforce members. 

Finally, an organization can utilize automated tools such as a data loss prevention solution that includes data discovery functionality to really understand where ePHI and other sensitive data lives and how it traverses the network infrastructure. This type of solution can help reduce the hours required to manually perform these actions.
Thank you for reading this month's newsletter. Have a question about security, privacy or compliance that you'd like to have us answer in next month's newsletter? Reply to this email and we'll get the appropriate subject matter expert in touch with you. 


The CynergisTek Team

Want a printable version of the July newsletter? Click here to download a PDF version of this email.