Providers in the
Waiting Room?

Get them securely provisioned, and enable them
to help their patients quicker.

Spending too much
time Logging In?

Reduce login time and see more patients.

Is your Audit Report
Comprehensive?

Obtain a clear picture of who can access,
who did access and how information is accessed.

Latest News

    • 29 Jan 16

    Are Password Resets your Highest Ticket Volume?

    Too many calls to the Help Desk can be enormously frustrating.  Here's the difference between implementing an off-the-shelf product vs. a solution that directly impacts your workflow, freeing up your team to do more while empowering your company to help themselves.

    Many people think that by implementing some slick wiz-bang tool to allow self-service capabilities for password changes can solve this problem.  This thinking is flawed.  Many organizations purchase an off-the-shelf tool to allow for resetting of the primary password in the organization, such as the network or Active Directory password.  The ticket volumes are still high and the thought is that the tool has failed. 
     
    But the tool is actually working.  Many of those tools out there, if implemented correctly, do their job.  So, why are the ticket volumes still high?  You only dealt with one password.  A typical person has dozens of passwords and the solution implemented only dealt with one.  If this is the case, how can we tackle them all?  Is there a wiz-bang password tool that can handle them all?  No, but there are tools that allow one password to rule them all.  Before we talk about that solution, let’s delve deeper into why we have such high password reset ticket volumes.
     
    If we are lucky, we only have 10 different usernames and passwords.  Let’s also say that we are lucky and our organization has standardized usernames, so we have the same username in all 10 systems and only need to remember one.  The hard part, is that security and compliance will require we change those passwords on a regular interval.  Depending on the application settings and usage, we will be required to change them at different intervals, have different complexity requirements, and also remember the different number of historical passwords.  By the time we have worked at the company for a year or two, we have 10 completely different passwords.  To add insult to injury, we only get 3 strikes before we are locked out.  Sound familiar?
     
    What many people don’t realize is that single sign-on helps with password resets; not that single sign-on tools have magical powers or superior self-service password reset options available, but they perform the very simple task of eliminating the need for users to remember so many different passwords.  Instead of remembering which password you are using for each of your applications, you have a single password to remember.  Then, to add some icing on the cake, we can use our slick wiz-bang self-service password reset tool to help you unlock that password if you forgot it after a nice long 3-day weekend.
     
    To answer the initial question, the password reset ticket volumes are not the highest because users are incapable of remembering a password. They are the highest because users have too many passwords to remember.

    • 11 Dec 15

    Top 10 Things You Should Know About CISA: Cybersecurity Information Sharing Act

    The United States Senate recently passed the Cybersecurity Information Sharing Act, known as CISA. Under this Act, government agencies, corporations and organizations have to share information with each other to identify cybercriminals and gather cyberthreat information. Many companies and individuals have issues with a lack of clarity in the bill, along with privacy concerns as government agencies gain access to sensitive business data. Here are the top 10 things Health IT Experts need to know about CISA and its impact.

    1. Under CISA, government agencies gain access to Electronic Health Records previously inaccessible to the government.

    2. CISA ignores established company privacy policies.

    3. Businesses that share data with the Department of Homeland Security gain legal immunity from litigation related to data collection efforts looking for cyberthreat indicators.

    4. The exact data related to cybersecurity threats is not defined in this Act, which may put health information at risk.

    5. While personally identifying information is supposed to be removed from any data shared through CISA, remaining in compliance with HIPAA regulations while sharing information may be difficult.

    6. CISA only requires reasonable belief that personally identifying information is not contained in the data sent to government agencies, which opens up the possibility of personal information getting mixed in with cyberthreat indicators.

    7. Healthcare providers can gain access to cyberthreat information previously available only through "pay-to-play" data sharing groups, which opens up data access for providers with lower budgets for threat intelligence.

    8. CISA fails to define and limit how government agencies can use the data provided to them.

    9. The Department of Homeland Security disseminates threat information to other agencies, including the National Security Agency, creating concerns of this Act facilitating unwarranted surveillance.

    10. Due to a lack of clarity in the bill, patients could be reasonably concerned over the control and unintentional over sharing of data.

    CISA is a controversial bill due to its vague language and compromised privacy, but the other problem is whether it is effective for its intended purpose. Threat intelligence sharing is not a new concept, but high-profile data breaches in the Health Industry, such as the Blue Cross Blue Shield breach, make a case for strong threat management. eSecurity Planet reports 91 percent of healthcare organizations suffered from a data breach in the past two years, but detection speed is also an essential factor. If the organizations share data weeks or months after a breach, it may be of limited use.


    • 11 Dec 15

    How to Create Another Layer of Security with Multi-Factor Authentication

    Multi-factor authentication (MFA) is a security protocol that adds a level of authentication to any login. It allows users to verify their identity and helps prevent security breaches arising from hacked usernames and passwords.

    Security breaches are becoming more and more common -- there were 888 recorded breaches in the first half of 2015, according to Gemalto. The healthcare industry is the most targeted industry for cyberattacks, due to the high value of medical records. Not only do such breaches erode patient trust, but they are also expensive, with each compromised record costing the industry almost $400.

    Security breaches usually begin with a hacker using stolen login credentials to access the network. Having an additional layer of security is essential to prevent unwanted intruders in the hospital network and to assist in HIPPA compliance.

    Elements of Multi-Factor Authentication
    There are three types of credentials that employees can have:
    • Things that they know, such as usernames and passwords, or PIN codes for their bank accounts
    • Things that they have, such as mobile devices or ATM cards
    • Aspects that are unique to them, such as biometrics (fingerprints or voice prints)

    Single-factor authentication requires only one of these credentials and is relatively easy for hackers to obtain; two-factor authentication requires two of these credentials and, therefore, is more secure. One of the most common implementations of MFA is logging in using a password and username in conjunction with a code received by SMS on an authenticated phone.

    How to Combine MFA With Additional Security Measures
    To further enhance access governance, MFA can be paired with a number of other security protocols such as security information and event management (SIEM), which provides an overview of any logs and other security-based information, and uses this to identify trends in user behavior. This helps identify anomalies that can indicate a security breach, such as the input of an access code from a mobile device that has been reported stolen or an attempted login from a different country.

    For instance, SIEM could identify if a nurse is logging in from a new location, prompting the validation of the login via an access code sent to the nurse's mobile device. If that device has been reported stolen or lost, the event is flagged and the IT security team is made aware of the threat.

    Protecting Healthcare Data Is Critical
    As hackers become more sophisticated with their methods, healthcare providers must take additional precautions to protect valuable medical data. MFA is a valid tool to protect credentials and prevent unauthorized logins, and can be combined with other more sophisticated systems to alert security teams of potential breaches and threats.

    • 04 Dec 15

    5 Ways to Avoid a Phishing Scam

    Phishing happens when a person is targeted by an attacker posing as an institution and is tricked into providing personal information such as credit card details, user name and password, or banking information. Some phishing scams target organizations, and not just individuals, and the scams use employees to provide the phishers with access to networks containing valuable data.
    Phishing attacks are very common, with Kaspersky reporting over 30 million attacks in the second quarter of 2015 alone. Knowing how to identify and avoid phishing attacks is essential to prevent malicious users from accessing valuable data and committing identity theft.

    Avoid Clicking Links
    A common phishing scam relies on compromised email accounts to fool users into thinking the email comes from a trusted source. This means that emails from friends or colleagues can contain malicious links that can be devastating. It's wise to check links by hovering the mouse over the link (without actually clicking on the link), which will show the address that the hyperlink is pointing to, and then check the spelling of the address to ensure it's a legitimate website.

    Verify Every Site
    Another common phishing scam is a website posing as an online bank or retailer, where people then enter their credentials as usual. It's essential to verify the address of any website before proceeding by checking its spelling and its source. Many browsers will show secure sites with a green lock icon near the address bar, and secure sites will usually start with "https" instead of simply "http." Employees should be especially wary of links in emails, and instead should directly type in URLs in their browser when they want to conduct secure transactions.
    Update Anti-phishing Software
    While it may be impossible to avoid all phishing scams, there is software that can prevent phishing attacks from gathering data. All computers should have this software not only installed, but also updated at all times.

    Use Firewalls to Buffer Traffic
    Many high-quality firewalls have two components - one software-based and one hardware-based - that are excellent at blocking unwanted traffic. Users should avoid logging into any sensitive sites on public, unsecured Wi-Fi for this reason.

    Avoid Pop-up Windows
    Pop-up windows often redirect to phishing sites or contain malware. Most browsers block pop-ups and this feature should be enabled at all times. If one does get through, close the window by clicking the X in the top corner instead of the cancel button on the pop-up.
    Phishing scams rely on user trust to succeed. Being aware of these scams and following a few simple precautions is usually sufficient to prevent these attacks, and attackers, from getting the information they want.

Healthcare IDM is a subdivision of GCA Technlogy Services, a provider of identity management solutions since 2006. Initially founded in 1987, GCA has evolved into a boutique identity management firm focusing on security and compliance within the healthcare industry
4805 Independence Parkway Suite 100
Tampa
FL
33634
USA