Author: JDS

Posted on

Serious Android Flaw Could Turn Mobile Apps Malicious

A weakness in the Android security model that validates mobile applications could be used by an attacker to turn a legitimate Android app into a dangerous attack platform, according to a security firm that discovered the vulnerability.

The weakness, discovered by San Francisco-based mobile security startup Bluebox Security, was reported to Google (NSDQ:GOOG)and has been corrected, but the firm said millions of Android devices remain vulnerable. The flaw enables an attacker to bypass the Google Play security mechanism designed to review changes to applications before they are sent to users.

Bluebox Chief Technology Officer Jeff Forristal will present the details of the vulnerability later this month at the 2013 Black Hat conference in Las Vegas.

The Android flaw, which has been in the firmware since 2009, enables an attacker to modify the mobile application code without breaking its cryptographic signature, wrote Forristal. In an alert to Android owners last week, Forristal said application changes could be made without being noticed by the app store, device or end user.

“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” Forristal wrote.

Digital signatures are used by both Google and Apple to determine the validity of a mobile application. The flaw enables the digital signature to remain intact even if modifications are made, Forristal said. Bluebox showed a screenshot of an HTC device showing how the manufacturer’s software can be modified to access all permissions on the device.

An attacker can program a legitimate app to make phone calls and record them, send text messages or turn on the camera. “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Forristal wrote.

Millions of mobile phones could continue to be at risk because security updates pushed out by Google must go to individual handset makers before being pushed out to device owners through their mobile carrier.

Breaking or cheating the cryptographic signature used to validate applications is a potentially serious issue opening up device owners to a wealth of serious problems, said Cameron Camp, a security researcher, at Bratislava, Slovakia-based antivirus vendor ESET. Code signing and application isolation or sandboxing are among the security measures used to make mobile devices safer.

“If you can break the crypto or cheat the crypto into thinking it’s something that it’s not then that is a dangerous problem,” Camp said.

Google did not respond to a request from CRN for comment. The company has reportedly updated its official app store, Google Play, to thwart attempts to cheat the app verification process. But Camp said mobile malware writers bypass Google altogether, getting malicious applications onto devices by using third-party app stores.

Android malware has increased significantly, with more than 92 percent of mobile malware targeting the platform, according toJuniper Networks (NSDQ:JNPR), which released its annual mobile threat report last week. Other reports found a precipitous increase in mobile attacks targeting Android devices. Google has been adding improvements, Camp said, including the addition of Bouncer, a malware scanner that vets apps before they are officially released to Android device owners.

“There are still an awful lot of apps to be analyzing on a daily basis, so determining with any degree of assurance that no malicious code out there is going to be difficult,” Camp said.

Originally posted here: http://www.crn.com/news/security/240157895/serious-android-flaw-could-turn-mobile-apps-malicious.htm?cid=nl_sec

Posted on

Apple Users Beware: Phishing Sites Are After Account Credentials

It’s not a surprising finding and one that experts have been predicting, but data being collected by antivirus vendors is revealing a rising number of threats targeting Apple (NSDQ:AAPL) users. While malware growth is relatively flat, phishing sites designed to trick users into giving up their account credentials is on the rise.

Threat detection data collected by Kaspersky Lab shows a significant increase in phishing sites attempting to trick users into giving up their Apple account credentials, according to Nadezhda Demidova, who recently provided analysis of the Apple phishing threat data. Apple iCloud and iTunes accounts can be lucrative to cybercriminals, Demidova said.

In addition to information stored in the Apple account, “many malicious users go further and try to the steal bank card details used to pay for those purchases,” Demidova wrote.

Phishing attacks targeting Apple users increased from 1,000 detections per day on average in 2011 to about 200,000 detections per day today, according to the Kaspersky Lab data. Many of the sites attempt to mirror the official Apple store or an official-looking Apple credential reset page. A user who doesn’t pay attention to the location of the Web page can easily be tricked into giving up information.

Fake Apple.com phishing sites rose and declined throughout the year, but some significant surges can be traced to Apple events. Demidova noted that some of the surges in phishing can be attributed to iTunes store unveilings in Russia and more than 50 other countries in 2012.

The Mac malware threat, meanwhile, remains low. Only 2.5 percent of threats encountered by Mac users were written specifically for Macs, according to statistics from Symantec (NSDQ:SYMC). The latest Threat Report from McAfee supports Symantec’s findings and noted that malware growth was flat throughout much of 2012, with no growth in the first quarter of 2013.

Much of the Apple malware being detected stems from attack toolkits that continue to use the Flashback Trojan, which was behind an advertising click fraud campaign that targeted a Java error to infect Macs. Statistics vary but most experts say that Flashback infected about 600,000 Macs. Flashback may have served as a wake-up call to Apple users that they are not immune to malware attacks despite the lower risk of infection.

Graham Cluley, a U.K.-based security expert, said Mac threats are lower in number but include many of the standard problems encountered by PC users. Fake antivirus software has been configured to target both Mac and PC users and malicious software also targets browser components regardless of the platform the user is running, Cluley told CRN.

“I think you would be very foolish to not run an antivirus on your Mac,” Cluley said. “Mac malware in the last couple of years has moved from being experimental to having clearly been built with financial and spying motivations.”

Originally posted here: http://www.crn.com/news/security/240157681/apple-users-beware-phishing-sites-are-after-account-credentials.htm?cid=nl_sec

Posted on

Microsoft Aims To Take On iPad In Health Care

 

When internist Nitin Patel called up Microsoft in May to rave about its Surface Pro tablet, Dennis Schmuland, the company’s head of health strategy for U.S. Health & Life Sciences, was taken aback. “I was surprised, because he was so excited,” says Schmuland. “We didn’t solicit this.”

Microsoft is elated by Patel’s call. While physicians’ use of tablets is widespread—72% according to Manhattan Research, more than half of the nearly 3,000 physicians it surveyed, used Apple iPad in the first quarter of 2013. Microsoft released Surface RT last year, and Surface Pro this past February. According to IDC, shipments of Surface amounted to 900,000 units in this year’s first quarter. It has a long way to catch up with the iPad, which commands nearly 40% of the tablet market. “We’re not getting any requests from doctors to build on it [Surface],” says Daniel Kivatinos, a founder of drchrono which provides an electronic health record specifically for the iPad. Also, a 128 GB Surface Pro retails for $999, versus $799 for an iPad.

Patel who doubles as a geek-in-chief at Palmetto Health, one of the largest hospital systems in South Carolina, tried the iPad. He disliked the wait to log into a patient’s chart, the small screen, and the lack of keyboard, among other things. On a Friday afternoon, he drove over to a Best Buy in Columbia, and bought Surface Pro, keeping the receipt. He didn’t return it. Patel was immediately impressed by its speed to access a patient’s chart, and its compatibility with Cerner electronic health record which Palmetto uses throughout its hospitals and clinics. Patel says he now sees two more patients per day as a result.

William Jennings, Palmetto’s medical informatics officer, was initially skeptical, but Surface won over other doctors. “We’re providing an environment where physicians pick what they want. We want technology to work for us not the other way around,” says Jennings. Palmetto just started a three to six month pilot with 30 physicians, including obstetricians and surgeons, who will use Surface on loan from Microsoft, in their every day practice. The goal is to measure patient and physician satisfaction, as well as impact on productivity, which typically drops when medical providers go digital.

“What Palmetto has proven is that you can run Windows 8 or 7, and have the full features of an electronic health record,” says Schmuland, not a lighter version usually offered on an iPad.  If so, that would address major complaints by untethering doctors from their desktops, and allowing them to interact more freely with their patients. He says Microsoft is talking to several electronic health record vendors, including Cerner, Epic, and Allscripts about developing applications.

Schmuland doesn’t know how many doctors are using Surface, but he’s starting to hear more anecdotes, such as Palmetto’s.  “This is an early wave indicator that Windows 8 is resonating with the industry,” he says.

Microsoft sent a crew to Columbia, South Carolina, to film doctors at Palmetto using Surface Pro. Check it out.

http://youtu.be/7mlKtMINgn0

 

original published at: http://www.forbes.com/sites/zinamoukheiber/2013/07/01/microsoft-pins-its-hopes-on-tablets-in-health-care/

Posted on

Do Your BA Due Diligence

Long gone are the days that you pull down a template Business Associate Agreement and everyone just signs it.  BAs may not understand the extent of their obligations under HIPAA.  You need to confirm your agreements plus check what they are really doing to comply.

I really don’t recommend blindly using a template agreement to anyone.  Make sure you know what the agreement is committing for both parties.  There are optional things in those templates that can cause problems for some businesses.  Many folks just rolled them all in there and never looked at the implications closely.

Once you have the agreement worked out, get at least a general understanding of what each BA is doing for their own compliance including BAs they use to provide services.  We use a due diligence checklist to help with the process.  Here are a few things we have learned while doing them.

IT Support Companies.  If you are trying to manage HIPAA Security requirements without some sort of IT company involved (or your own IT staff), you probably aren’t doing everything that is required.  Someone has to understand firewall logs, encryption key management, network scanning, etc.  BUT, make sure the one you do use is HIPAA compliant.  If they have admin access to all your servers they have access to everything; and they can’t do their job well without that level access.

We find that most IT companies have the security part of the rules covered, maybe not documented fully but mostly in place.  The real problem comes when you ask about anything outside the Security Rule.  They should have a training program, understand minimum uses and disclosure requirements, breach notification policies and procedures and a few more things that have nothing to do with the Security Rule.  Make sure they understand there is more to HIPAA than the Security Rule.

Collections Services.  Collections services vary widely in the data they gather.  Many of these services may not specialize in medical but make it a segment of their business.  Be very thorough with any service that doesn’t offer specific secure connections or instructions for data exchange.  When checking these guys you have to ask about Security first.  You may never even get to the things outside of security requirements before you know you have a problem.  Make sure to determine how much medical work they are doing first then ask about the rest of compliance, especially how they worry about encryption at all stages of the process.

Accounting/CPAs.  Sometimes these are also collection or billing services which may make things easier.  Think through what you do with them otherwise and make sure you understand exactly what they are doing with your patient information they may be privy to for their services.   In cases where they are simply doing accounting they may only see patient data when dealing with large balance accounts or writing refund checks.  It is still PHI.  Make sure they have a plan to protect PHI.  Also, make sure they train employees on HIPAA even if they think they are discreet enough because they have to be for everyone.

Billing Services.  These guys deal in high volumes of data moving through their offices all the time.  They usually have a decent understanding of the uses and disclosure rules but may be lax in security within their office.  Also, they have a lot of downline BAs and subcontractors in most cases just in processing services.  Make sure they have security plans in place and understand clearly what their BA and subcontractors obligations include.

Transcription.  A wide array of situations are occurring when we ask about transcription.  You need to be sure you know if they are signing your BAA but using subcontractors that may not be signing one with them.  This area can get very messy just working out who is storing data and who is accessing data.  Review every part of their set up to be sure they are covering their bases.  Make sure you check a lot of details with this BA both for a service as well as individual contractors.

Many of the compliance management tools include BA management features.  It is a very valuable tool to help you keep up with all this information and documentation.  It is hard enough to keep up with our own stuff but you have to get some info about all their stuff too.   It is important, though.

By checking on your BAs to make sure they truly understand their obligations, you better protect your patients and your business from compliance problems that aren’t under your roof.  If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.

  • Take reasonable steps to cure the problem with the BA and get compliance in line
  • If a BA still does not comply, you must terminate the business contract on HIPAA compliance grounds.
  • If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.

One more thing…….  BA management isn’t just for CEs anymore.  All you BAs need to follow the same process for your BAs.

Original article authored by Donna Grindle, used here by permission.

Posted on

I Love A Rainy Night…

 

Just like Eddie Rabbit, I love a rainy night as well.  My computer and other electronics, not so much.

This time of year boasts some of the most damaging electrical storms of the year, especially in our area (Mid-Carolina Region).  As it happens, we get tons of calls from customers and clients after a summer storm with complaints that their PCs or network equipment is not working.  So, lets look at this briefly and hopefully we can help you should you ever find yourself in this situation.

First, lets talk about electronics and lightning in general.  For simplicity we are just going to focus on a PC but the rules remain the same for almost any electronic item, particularly computers and peripherals.  The components inside your PC are VERY sensitive to electricity and ESD (electrostatic discharge).  You remember when you were a kid and you would dragging your socked-feet on the carpet and shock the mess out of your sibling?  Have you ever exited your car in the winter and the door give you a jolt of electricity from static buildup?  Well, these small lightning bolts are far more than enough to damage the internal components of your PC.  On more than one occasion I’ve seen someone touch a computer case and the static shock cause the PC to shutoff.  Now, imagine what a nearby lightning strike can do.

So how do you protect your PC from lightning?  The absolute best way is to unplug it from the wall.  TURNING THE PC OFF AND LEAVING IT PLUGGED IN IS WORTHLESS.  Sorry to have to emphasize that but I hear that all the time… “but I had it turned off…”.  Simply, turning it off doesn’t remove it from the circuit… UNPLUG IT.

“But what if I’m not there to unplug it?”… I’m getting to that now.  Of course you’re not going to be able to unplug it every time a storm comes up… and even if you could I highly recommend a good… no… a GREAT surge protector.  Come on… you spend $600 and up for your PC and peripherals and you want to protect it with a $9 power strip?  

The industry standard for measuring electrical energy is Joules. A surge protector’s Joule Rating tells you how much energy the surge protector can absorb before it fails. A higher number indicates greater protection.  Most good surge protectors will cost around $30 to $50 and typically come with some kind of assurance, insurance or warranty.  The two best brands (in my opinion) is Tripp-Lite and APC.  There are other brands which are good so you pick what you want so long as the Joule rating is high.  I recommend nothing less than 2160 Joules.  Remember, this is protecting a large financial investment of your electronics so don’t go cheap here.

Lastly, you find yourself faced with a PC that will not function after a storm… what do you do?

Listen carefully… once you realize the PC will not turn on, DO NOT continue trying to turn it on. You can, and most likely will, cause further damage the more you mess with it.  In many cases the damage is initially rather isolated but continuing to try to turn it on allows for the damaged parts to send surges and spikes throughout the rest of the internal components which can result in a total loss of the PC… including your precious data (see our post on having a backup).

(DISCLAIMER – if your system is damaged this could cause further damage… do this at your own risk).  Many times the PC is not turning on because there was a quick power cycle which put the PC in a state of flux and it was not actually hit by lightning or an electrical surge.  In these cases, the PC is likely NOT damaged but just “confused”.  Here is how to fix it… if this is the problem.  Unplug the PC for about a minute (make it 2 to be sure).  This will give the PC time to drain all the electricity stored in it’s components.  While it is unplugged, check the outlet you are plugging it into to ensure it actually has power.  Now, plug the PC back in and try to turn it on.  If it turns on, you just saved yourself an unnecessary repair bill.  If it does not turn on… DO NOT TRY AGAIN.  Take it to your trusted PC repair company ( like Carolina Computer Concepts ) and allow them to test the PC with special equipment and handle the repair properly.

 

And for all you Eddie Rabbit fans… here ya go:

Posted on

First Look At Windows 8.1

What will Windows 8.1 Preview add or change about Windows 8?

Well, instead of telling you, we thought it best to just show you.

http://youtu.be/VQb5caeSo00

Ok… Did you notice anything interesting about that preview?  Something that was seen but not talked about?  Come on, watch it again.  You can’t miss it!

Go to our Facebook page and comment under this post on what you think it is.

Posted on

Beware Windows 8.1 Preview

When the 8.1 preview is available, Windows 8 and Windows RT users will receive a Windows Update notification. That update will trigger the new bits to show up in the Windows Store, where potential testers will be able to read the description and choose whether or not to install.

Once the final versions of Windows 8.1 are available, after their release to manufacturing, those who have downloaded the preview will get the same Windows Update plus Windows Store notification. While the user’s data and accounts will be preserved if and when they choose to install the free, final 8.1 release, all their apps must be reinstalled.

Even if testers opt instead to roll their devices back to Windows 8 after installing the preview bits, they still will have to reinstall their apps once they move to the RTM version of Windows 8.1.

Windows 8 users who do not install the preview build and opt instead to go straight from Windows 8/Windows RT to Windows 8.1 will not have to reinstall their apps. All settings, data and apps will carry over. Users will be able to decide when and if they want to move from Windows 8 and Windows RT to the 8.1 versions.

Niehaus, a spokesperson for Microsoft, characterized the Windows 8 to 8.1 upgrade as “a little better” than how Microsoft handled the Windows 8 test build to RTM upgrade. A Microsoft spokesperson said the Windows 8 to 8.1 upgrade would be “comparable” to the Windows 7 to Windows 8 upgrade, in terms of how the upgrade dealt with user settings, data and apps.

Niehaus also told session attendees that Microsoft expects to have a reduced footprint size for Windows 8.1 as compared to Windows 8. He said the team has been working on removing old components, temporary files and improving NTFS compression to free up more space on users’ machines. He noted that 4 GB of free space will be needed to install the Windows 8.1 preview builds. And he said that installation of Windows 8.1 will not result in the replacement of the recovery partition in Windows 8.

“If you deleted it, [8.1] won’t replace it,” Niehaus said.

So, let’s recap… If you plan to check out the Windows 8.1 Preview, you WILL have to reinstall your apps whether you move on to the final 8.1 release or go back to 8.0.  If you wait for the final release of 8.1 and move from 8.0 to the final release you WILL NOT have to reinstall your apps.

CCC edited the original story for content.  This story originally appeared at ZDNet 
under the headline "Microsoft goes public with Windows 8.1 upgrade policies."
Posted on

This Message Will Self-Destruct…

We’ve all seen Tom Cruise in the Mission Impossible movies taking on impossible odds with the coolest gadgets imaginable.  One of the best noted parts of the Mission Impossible movies (even the old TV show) was the self-destruction of the secret message.  Wouldn’t it be so cool to be able to do this?

Well you can.  Using BurnNote.com, you can send a private email message to anyone.  The recipient will receive an email directing them to the Burn Note website where they can view the message.  When the recipient starts viewing the message, a timer starts and gives them just enough time to read the message and then it disappears… forever.

Here is what the official Burn Note site has to say about it’s service:

“Every message on Burn Note is automatically deleted using a timer when it is opened. Deleted Burn Notes are completely erased and can not be recovered. While being viewed, our patent-pending Spotlight system makes message contents resistant to copying, capture via screenshots, and the glances of curious bystanders.”

Just think of the possibilities of how useful this can be.  Send confidential information to someone, such as passwords.  Let friends know of a surprise party for someone.  Send your spouse a message at work without it being tracked within their corporate email.  Send sensitive information to a client.  The list can go on and on.

There is also an app for the service on Google Play and The App Store so you can use it easily from you smartphone or tablet.

Give it a try and post back on our Facebook page what you think about it.

Click “Like” below and also share it with your friends by clicking your favorite social media icon below.

Posted on

How Do You Know Who is a HIPAA Business Associate?

One of the first processes we go through for HIPAA Compliance is to identify all Business Associates (BAs).  That has to be done for CEs and BAs alike.  The Final Rule has changed the status and viewpoints for many CEs and BAs. We have addressed a lot of questions on the topic lately.  Now seemed like a good time to go through some of the examples and tips we have discussed with a variety of clients.

The new rule makes it clear.  Signing an agreement doesn’t make you a BA, doing work that gives you access to PHI makes you a BA.  People have claimed exemptions for various reasons for years and that can’t be done any longer.  There are many BAs struggling with the process right now.  Last week, a BA responded to a readiness survey from one of the CEs in our compliance program with a single question “Do we have to fill this out?”.  I am certain that business qualifies as a BA and they obviously have no idea what is going on.  Checking on your BAs should be a top priority based on what we are seeing and hearing.

A great way to make sure you have all BAs on a list is to use your accounts payable as well as the 1099s you generated.  Take a minute to think about every one of them because some may need attention for other HIPAA reasons than being a BA.  We expect at least 5 or 6 BAs for most groups we work with on compliance.  Depending on their structure, size and activities there can many more.  Small CEs and BAs have a different environment than large entities.  It is worth going through the whole list.

Here is a list of similar businesses you may find on your AP/1099 list.

  1. Scrubs That Are Best   – Scrubs Service – We will call them STAB
  2. Clean and Pretty – Cleaning Service – CaP
  3. People Ask You,  Inc – Collections Service  – PAY
  4. Patterson, Salvatori, Bitterman and Enis – Attorneys –  PSBE
  5. Zimmerman and Pierce – Heating and Air Service –  ZaP
  6. Melissa Odum-Madison – Contracted bookkeeper – MOM
  7. Shred, Haul, Install and Track – document management – we will just call them shredding company
  8. Hippert, Ikemoto, Paine, Abruzzo and Alvarez  –  CPA Firm – HIPAA
  9. Advanced Concepts for Your Information Technology – IT support – what everyone calls them –  the computer guy
  10. Medical Equipment Devices – provide medical devices for tests – MED

Now, let’s go through the list and discuss how they may be classified and evaluated.

1- STAB only supplies scrubs for the office so that shouldn’t be a big deal and no HIPAA involved right.  But, in our conversation about BAs we learned that the STAB delivery staff has keys to the back door to drop off the clean and pick up the dirty each week.  That leads to more questions and decisions that must be made due to their physical access controls.  While they aren’t a BA for the work they do, they have access that does involve HIPAA regulations and may have been missed without this exercise.  Don’t put them on your BA list but put it on your “gotta deal with that one” list.

2- CaP only comes in to clean so they should be fine.  We have had them for years and it is a family business.  No HIPAA problems, right.  That depends.  Do you lock up all your charts and computers every night?  Do they only clean when someone is at the office who watches over their work?   In March, the Atlanta Journal reported a case of identify theft that involved office cleaning companies.  People would work for a cleaning company just for a week filling in for someone and stick a usb device in a couple of computers the first night.  Pick it up the last night of their temp job.  The whole time it is logging keystrokes on each computer.  They end up with all the information typed on that computer for the week.  Personally, I find it hard to give cleaning companies the benefit of the doubt in offices any longer.  I think they need to be BAs to be cleaning offices for CEs and BAs now.  There are some cases where they aren’t but it requires laying out very specific guidelines on how the service will be managed in your office.  Most small businesses don’t have that ability.

3- PAY gets a list of patients and all their contact information in order to do the collections.  I have heard some collection companies claim they don’t get treatment information so they aren’t BAs.  What do you give them to contact your patients?  To do your collections they know they saw your practice and they have to have some reference like date of service maybe.  Then, you have to give the date of birth, address, phone.  Well, you see what I mean.  I recommend you treat them as a BA or get a HIPAA attorney involved with an opinion.

4- PSBE handles malpractice claims among other duties for your practice.  There are plenty of references pointing out that they are BAs.  Don’t be surprised if they aren’t eager to admit it, though.  It isn’t unheard of but should be less likely under the new rules.

5- ZaP doesn’t need access to any PHI in order to do their job for you.  But, just as with STAB, the discussion does bring up another issue.  When they come in to work on things in your office does anyone notice what they are doing or where they are at while they are doing it?  Incidental disclosures may happen through the vents they are working on but what about the story about the USB drive and the cleaning crew.  Should you really just let them roam around the office without a thought?  Add another one to the ”gotta deal with that one” list.

6- Good ol’ MOM comes in and helps do the bookkeeping.  She works for us on a 1099 basis but only for us and no other practices or businesses.  Part of the bookkeeping work does make it necessary for her to have access to PHI so what do we do?  Is MOM a BA?  Oh no!  That will just not work – what are we going to do?  Who is going to tell Dr. Madison that MOM is a BA.  Wait, calm down.  No one needs to upset MOM or Dr. Madison.  A 1099 does not make anyone a BA.  In this case, MOM is a member of your workforce under HIPAA definitions.  Include her in the same training and rules you use for all your other employees.  Add it to your ”gotta deal with that one” list to make sure she is included in all the training programs.

7- The shredding company.  We have them covered, they know they are a BA and we have a BAA with them.  But, we still need to see the status of the BAA and update it with the latest requirements.  They also need to provide some assurance they actually are following compliance requirements.  Another thing, though.  As you were pointing out your shredding bins they are just large garbage containers with a lid on them.  There are no locks or anything.  Anyone can open them up and take things out, at will.  They sit over out of the way so no one notices them.  When you contact your shredding company you should probably ask for a more secure container.  One that isn’t so likely to dump things out on the street or be easy access to grab a handful of documents.

8- HIPAA knows they have to deal with HIPAA.  It is in their name!  They write refund checks and have all the details of that patient to reference for accounting for the refund checks.  BA.

9- The computer guy is what everyone calls IT companies in their office.  We are used to it.  We are also used to having access to everything.  There are some “computer guys” that make a case for not being a BA themselves because they never look at the patient data.  Having access to everything means access to everything including ePHI.  You really must have an IT company that is a BA and understands HIPAA Security Rule requirements.  They have to help you implement, monitor and manage your compliance.  BA, big time, because you need them to be one unless you have your own in house IT skills to manage it.

10- MED is like most device companies trying to figure out exactly how they will handle HIPAA.  They have to do it.  It is in discussions all over the place how much data those devices hold now.  They should be prepared more than any of the others on this list for your BA readiness survey.

Hopefully, this helps answer some questions concerning BAs for all those involved.  It may open up more questions but at least we are talking about it differently than before.

Reposted with permission from smallproviderhipaa.com

Posted on

Small Businesses Waste $24B Annually Trying to Manage Their Own IT Environments

A new Microsoft (NASDAQ: MSFT) backed research study discovered that SMBs worldwide fritter away some $24 billion in productivity annually by assigning non-technical personnel to manage their IT environments. Read between the lines, and the study makes the case for small businesses to more effectively leverage Managed Service Providers (MSPs), Value Added Resellers (VARs) and cloud computing.

The study, conducted by researcher AMI-Partners, examined the impact of so-called involuntary IT managers (IITMs) at SMBs in North America, Latin America and EMEA tasked with handling their companies’ IT solutions. In particular, the research focused on the impact on business productivity of IITMs in the U.S., Australia, Brazil, Chile and India.

The $24 billion lost annually results directly from IITMs taking time away from primary business activities to perform IT management functions for which many are ill-prepared, according to the study’s findings. AMI surveyed 538 IITMs in small businesses with 100 employees or less and, from that data extrapolated that 3.8 million SMBs in the target countries manage IT internally with non-technical personnel.

While SMBs in the study invested $83 billion to equip their businesses with IT and communications equipment, they lost $24 billion in productivity trying to internally manage their IT environments. When asked about a solution to the problem, IITMs in the study believe that cloud-based solutions can ease some of the burden of managing IT.

“Many small businesses don’t have the budget for formal IT support, so they rely on the company’s most tech-savvy individual to manage their technology,” said Andy Bose, AMI Partners founder, chairman and chief executive. “As our research shows, relying on an Involuntary IT Manager can have an adverse impact on small businesses’ productivity, which can negatively affect revenue and translates into a very high opportunity cost.”

Other than pointing out how much productivity SMBs lose from fussing with managing IT operations on their own, the study’s findings indicated a movement to cloud services by SMBs. Indeed, some 33 percent of IITMs said they are likely to shift more IT spending toward hosted or cloud solutions while 36 percent are interested in a productivity and collaboration suite.

“The cloud when delivered right is a game-changer, providing small businesses with the IT solutions they need to solve their most challenging small-business technology concerns,” said Thomas Hansen, Microsoft SMB worldwide vice president.

Some highlights of the study’s findings:

  • On average, IITMs lose about 300 hours per year of business productivity while managing IT
  • 36 percent of IITMs feel that IT management is a nuisance
  • 26 percent indicated they don’t feel qualified to manage IT
  • 60 percent of IITMs want to simplify their company’s technology solutions to alleviate the difficulty of managing IT day-to-day

Reposted with modifications from: http://thevarguy.com/business-technology-solution-sales/smbs-lose-24-billion-productivity-annually-winging-it-management?utm_source=052013&utm_medium=FOP&utm_campaign=NL