Can You Keep a Secret? Make Sure Your Printer or Copier Can.

Virtually every organization today deals with sensitive electronic information – from confidential human resources and business records to personal health information (PHI). Today’s high-tech all-in-one printers and copiers allow you to print, scan, fax and even email these documents with the click of a button. But what happens to that information as it passes through the machine? It ends up getting stored on the printer hard drive.

Chances are, you already know that electronic information lives on (forever) inside your copier. However, you may still wonder, “Is it secret? Is it safe?”

I am happy to report that it is actually rather difficult these days to steal information from your office equipment, mainly because specialized forensic software is required. However, you still should – and in many cases, you are required – to protect and erase theft-worthy data.

There are two main ways: a data security overwrite kit and hard drive scrubbing.

Copier and printer hard drive sanitization services in Ohio

If you are in the process of buying or leasing a new multi-function printer, then the overwrite kit is a perfect option. It will scrub the binary code of every document and replace it with zeroes. It will be like the information never existed.

However, once you have started using a printer that does not have an overwrite kit, you can not install the program later, thinking it will erase all the old files. And you can not simply delete files yourself and assume they are gone forever. They are not. In this case, you must move on to hard drive sanitization, which is usually done when you are ready to get rid of a piece of equipment.

You can purchase your own software and perform the sanitization yourself. Of course, a sledgehammer is always an option. Unfortunately, if you want to resell your equipment, trade up for a newer printer or finish your lease on good terms, that is not a good solution. Hopefully, your office equipment dealer handles hard drive scrubbing. If not, you probably can find other reputable services.

The most important thing to remember: get certified! Make sure the company that erases your hard drive also gives you a certificate of sanitization.

At Graphic Enterprises, we offer quality hard drive sanitization services for any organization in Canton, Akron, Youngstown and Western Pennsylvania. For more information, contact us.

Image credit: katemlk / 123RF Stock Photo

Thinking Disaster Preparedness? Don’t Forget Your Documents.

Emergency back up plan for paper documents is document management systemAs a smart business owner or manager, you probably already have a disaster preparedness plan in place for your company. And hopefully, as you were assessing potential risks, you remembered to include an emergency back-up strategy for all that paper in your filing cabinets or off-site storage locations.

Dealing with years of hard-copy records can be a daunting task. But losing them – particularly the important, historic or irreplaceable ones – could be devastating. One of the easiest and most cost-efficient options is digitizing your documents, and I’ve invited our electronic document management expert, Dennis Porter, to share his recommendations on how to get started with this process.

Before you panic thinking about all those stacks of paper, first determine which ones are really mission critical to your business. Chances are, the documents that fit into that category are a manageable amount.

The second step is considering your options with document management systems. I see most companies use the “from this day forward” approach. Another similar option is to go back to the beginning of your fiscal year and start there with scanning and indexing your documents. And while both of these are a great way to to jump into the process of electronic document storage, they leave out those old, mission-critical hard copies.

One way to address this issue is to combine the “from this day forward” method along with scanning any file that you may pull from a filing cabinet. If you have to pull it from a filing cabinet, you’re probably going to need it again someday. It’s already in your hand, so why not scan it? You’ll never need to pull it again, and your document management system will back it up.

To this you can also add a round-up of key historic documents and scan them at one time to ensure their protection.

Digital Storage Options for Your Documents

To ensure the safety of your electronic files not only in an emergency, but also on a day-to-day basis, you need a primary back-up system. Thankfully, digital storage space is cheap these days. A 1TB (terabyte) hard drive is less than $100 and can hold as much as 1000 filing cabinets. Other types of primary back-up options include multiple hard drives and a server. Your data should be mirrored, which means when you save a document, it’s copied to all your back-up systems.

You also may opt for an online service, such as Dropbox or Carbonite, as a redundant (or secondary) off-site back-up. These services provide a real-time or scheduled back-up of your data to “the cloud,” which is a fancy term for a secure, encrypted server on the Internet. You can use a tape back-up, but those appear to be going away as technology moves forward.

Finally, consider using a portable hard drive that’s plugged into a server by day and goes home with an employee at night.

If you’re wondering what the best option for your business is, talk to your IT services specialist.

How to Keep Scanned Files More Manageable

When scanning files, don’t scan at a higher dpi or resolution than you need. We recommend 300 dpi for most documents. Scanning a document at a higher resolution than you need just results in a larger file that takes longer to back up, upload, or access with document management services.

On the flipside, scanning a document at too low of a resolution will create problems if your system is trying to convert those documents to a “searchable” format. Look at your scanner setting. Don’t assume they are set at an optimal level.

If your business is located in Canton, North Canton, Akron, Youngstown or west of Pittsburgh, I would be happy to talk with you more about document management services and how they can benefit your company. Contact us to learn more.

Image credit: elenathewise / 123RF Stock Photo

Help Prevent Counterfeiting by Securing Your Copiers and Printers

The practice of counterfeiting currency is as old as money itself. What’s new is the spin that modern technology has given this ancient crime. In the past, forgers who created fake currency needed not only offset presses and special inks, but also high-level skills with engraving plates.

Prevent counterfeiting by securing your copiers and printers

Today, state-of-the-art printers and copiers have taken over where this illegal art form left off. At the end of the 2009, there was approximately $893 billion in United States currency in circulation, along with $69 million in counterfeits. The vast majority of those counterfeit bills were made by amateurs using high-tech digital copier and printer products.

Printer and Copier Security Options

There are two main ways to protect your business from fake currency. If you accept cash at any point in your business operations, it’s critical to train front-line employees on how to spot fraudulent money before it’s even accepted as payment. The U.S. Secret Service website offers detailed information on the ins and outs of detecting counterfeit bills.

The other way is to help prevent counterfeiting in the first place by securing your company copiers and multi-function printers. Ordinarily, we talk with our customers about user authentication and account tracking for managed print services. However, these features also offer an added layer of protection against the chance that someone might use your office equipment for counterfeiting.

User Authentication with Electronic Office Equipment

Most user authentication practices involve a PIN (personal identification number) code. However, fingerprint recognition, swipe cards and RFID (radio frequency identification) key fobs can be added to certain copiers and printers. All these methods allow you to set usage parameters and control who can use a particular machine and for what purpose.

Account Tracking for Usage Reviews

Account tracking goes hand in hand with user authentication. It allows you to run user reports at any time. These reports can show you who used a copier or printer for how long and for what purpose. The primary purpose of account tracking is to control costs, but implementing it together with user authentication can be a strong deterrent against misuse of company equipment.

Read more about the benefits of user authentication and account tracking. Together, we can all do our part to reduce counterfeiting, which, in the long run, helps us all.

If you operate a business in Canton, North Canton, Akron, Youngstown or elsewhere in Northeast Ohio or Western Pennsylvania and want to know more about setting these features up on your copiers and printers, contact us. If you don’t have an IT services provider, we can help you with that, too.

Image credit: dolgachov / 123RF Stock Photo

Gearing Up for HIPAA Compliance Audits in IT, Part 6: Document Management

How to prepare for HIPAA audit with document management and EHRsA good electronic document management system is an essential part or complement to an electronic health record (EHR), as well as a copier or printer. Let us be honest – as much as you might want to deal only with e-documents, you will need to handle paper for the foreseeable future. So, if you are facing a HIPAA audit, it is essential to make sure that paper records are handled with as much care as digital ones. In my continuing series on preparing for these new HIPAA audits, I have invited Dennis Porter, our document management expert, to cover issues related to document management, EHRs and PHI (protected health information).

If I put myself in the auditor’s shoes, there are several things I would look at closely when it comes to document management processes and PHI security in health care.

  • Access to PHI. Best practice is to lock down employee access based on network ID – which is the same security as a domain login. So, when a person logs into the EHR or document management software, they are only granted access to very specific pieces of data. Make sure whatever system you are using allows you to restrict access at the category, folder and even document levels.
  • Audit Trail. The best document management systems and EHRs will provide documentation of all actions associated with documents, categories and folders in real time. This audit log will let you see who looked at a document, who changed it, who printed it, who emailed it, etc. And, if someone intentionally or accidentally deletes a document, the system administrator can recover it easily.
  • Server Management Component. This is the system’s security roadmap, and you should look at it carefully to ensure login permissions are right for who is allowed to view, modify, email and print PHI and  other documents. If someone doesn’t have access to a particular folder, then that person should not even be able to see that folder when logged into the document management system.
  • Second Level of Security Passwords. Many good document management systems will offer another level of password protection above the network login. In most business environments, this isn’t necessary. But, if a HIPAA audit is imminent, it’s good if you have this avenue to explore.
  • Internal Policies. These medical document management and EHR security safeguards are only as good as your network administrator and his or her network security. And, they are only as good as your internal policies and how seriously employees take them. For example, if people don’t think about logging in or out before sharing a work station, then you have a bigger problem that no e-security measure is going to fix.

Let me mention that not all document management software is created equally. Some developers – even potentially those who design EHRs – add this facet as an afterthought, a clunky add-on to their software.

You may be tempted to purchase the document management system because, on the surface, it goes along with systems you already have. Before you do that, I encourage you to try it out. If it’s not user friendly, look instead for a good universal document management system that can work with your current program. This can save you lots of headaches down the road, especially if an auditor is knocking at your door.

If you’re a medical provider in the Canton, North Canton, Akron or Youngstown area and need advice on good electronic document management practices, contact us.

Gearing Up for HIPAA Compliance Audits in IT, Part 5: Printer Log Management

Cleaning PHI from your copier and printer hard drivesI know one of the biggest concerns that HIPAA-Covered Entities may have right now – aside from the HIPAA audit itself – is how to ensure that PHI (protected health information) isn’t stolen or stored in a manner that doesn’t comply with the law.

As I continue my series on how to prepare for a HIPAA audit, I’ve invited John Sedlak, our manager of network and managed print services, to explain what you can do to protect PHI that may exist in the logs on your copiers and printers.

There are two ways to handle multi-function printer logs: proactively and reactively. Obviously, being proactive is always better, but sometimes you just need to know how to implement a fix after the fact, especially if an audit is in the works.

The proactive approach to handling electronic PHI:

If you’re going to purchase a new printer or copier, ask for a data security overwrite kit. Some dealers will automatically include this and others offer it as an option.

The overwrite kit “writes zeroes.” What that means is, each time you scan, print, copy or fax information, the application will scrub the hard drive (temp files), replacing that document’s associated binary code (ones and zeroes) with all zeroes, effectively erasing the document from the system’s memory.

If an auditor is looking at this feature (and you can be pretty sure they will), you’ll need to show them proof of purchase, along with a print-out of your system’s configuration page that shows how the overwrite kit works.

The reactive approach to handling electronic PHI:

If your multi-function printer does not have an overwrite kit, you are leaving yourself somewhat vulnerable. Although it’s not easy to steal the information from the copier’s hard drive (crooks need special forensic software to interpret the data), you still want to make sure sensitive information is protected and/or truly deleted. In fact, you’ll probably need to prove this, which requires “hard drive sanitization.”

When you’re ready to get rid of a printer or copier, take it to a facility (hopefully, your dealer provides this service) where they follow strict guidelines for “scrubbing” hard drives properly. Then, be sure you get a letter or certificate of sanitization from the facility that clearly documents this. When the auditor asks, you can show them this proof.

If your office is located in Northeast Ohio (Canton, Akron, Youngstown and beyond) or Western Pennsylvania and would like to learn more about the data overwrite kits and hard drive sanitization services we offer, contact us for more information.

 

 

Gearing Up for HIPAA Compliance Audits in IT, Part 4: Technical Controls

Technical controls for products that are HIPAA compliantIt’s almost the end of April. By now, all HIPAA-Covered Entities should at least be toying with the idea of starting a security risk analysis (required by law) in preparation for a compliance audit. Eventually, the U.S. Department of Health & Human Services and its Office for Civil Rights (OCR) will get to you.

In my ongoing blog series about this complex topic, I am focusing a good bit on the responsibilities of Business Associates as defined by HIPAA and HITECH because that is our biggest area of concern at Graphic Enterprises. Our office equipment – including many different models of Konica Minolta printers and copiers, as well as associated electronic document management systems – is hard at work in many health care offices throughout Ohio and Pennsylvania; documents containing PHI (protected health information) are scanned, printed, faxed and emailed every day. And, I expect to hear from those offices in the coming months, asking us to provide detailed information about how our office equipment meets the requirements of the Security Rule.

Whether you currently use a multi-function printer or copier – or are in the process of looking for a new one – as a HIPAA-covered entity you should work closely with your vendor or dealer to make sure your equipment has these critical security features:

  • Access control, either device-based or network-based. This ensures that only the people who should be looking at PHI will have access to PHI in electronic or paper format.
  • Automatic logoff, which ensures that every user is logged off soon after using the printer, minimizing accidental or intentional viewing of PHI.
  • Authentication via login at the operation panel or with a smartcard, HID card or biometrics.
  • Emergency access to data for situations where systems crash or PHI has been breached.
  • Audit logging, so you can follow the trail of all PHI that has passed through the printer.
  • Encryption to minimize PHI breaches.
  • Integrity so that you can be certain that PHI and other information is complete, accurate, valid, etc.

In some cases, your office equipment may already have these features built in, so all you have to do is make sure they are all “turned on” and functioning properly. If your copier or printer does not provide these safeguards, it’s time to look for a new model. Medical offices in Canton, North Canton, Akron, Youngstown and beyond are welcome to contact us for help with office equipment security features.

Gearing Up for HIPAA Compliance Audits in IT, Part 3: Security Risk Analysis

With HIPAA audits getting underway this year, Covered Entities are starting to ask, “What do I need to do to get ready?” As the president of an authorized Konica Minolta printer and copier company, I am asking that question, too, because the equipment we sell and service may eventually hold PHI (protected health information).

Ideas on how to get started with a HIPAA Risk AssessmentAs a Business Associate of many Covered Entities in Northeast Ohio – including hospitals, physician offices, clinics and more in Canton, North Canton, Akron, Youngstown and beyond – the team at Graphic Enterprises recognizes the importance of performing a HIPAA security risk analysis (in fact, the Security Rule requires it), as it pertains to our customers and equipment.

To get everyone in our organization on the same page, we’ve devised this introductory checklist. Of course, as we get a better grip on this whole process, this checklist will probably change somewhat. However, I hope by sharing it, we can help you get started with your own HIPAA risk analysis.

  1. Start with the basics. Under HIPAA, providers are required to review and update all policies, procedures and protections surrounding PHI. If you do not have a policy, now would be a very good time to draft one and have it scrutinized by legal counsel.
  2. The buck stops here. Designate someone in your organization to lead the risk assessment and, subsequently, the risk management process. This person should have a good understanding of both the technical (I am talking about systems) and the non-technical aspects of health care compliance.
  3. Examine the flow of PHI in the real world. Things always look good on paper, right? But, what path(s) does patient information follow in your office or organization on a day-to-day basis? There are three key areas you should be scrutinizing for threats, vulnerabilities, risks and exposures: administrative procedures, physical safeguards, and technical standards and mechanisms. The U.S. Department of Health and Human Services (HHS) provides recommendations in its document, Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. Just a bit of fun bedtime reading, right? (Hint: you will want to do a deep dive into the sections that talk about addressable controls.)
  4. Create a spreadsheet. I love a good spreadsheet for keeping track of all the details of my business, and there are sure to be many, many details involved in this HIPAA risk analysis. You will need a good way to keep track of them.
  5. Carefully scrutinize business associate contracts. At the end of the day, a Covered Entity is responsible for patients and their PHI. So, you want control over any PHI you may need to give a business associate, as well as legal recourse should the business associate allow a breach. Every business associate contract should contain an indemnification provision. Again, I recommend that you seek legal counsel on this issue.
  6. Document everything. Need I say more? This will be especially important when you complete the assessment and begin the management part.
  7. Keep things fresh. This is not a set-it-and-forget-process. You may have no way of knowing when you will be audited by the OCR. Therefore, you need to make sure you complete a risk analysis and management process at regular intervals, just in case.

Let me know how your HIPAA audit preparation is going. I welcome your comments and input. After all, we are all new at this.

Seven Signs Your Small Business Needs an IT Services Company

IT service company in North Canton, Canton, Akron and YoungstownWhen I think back to what doing business was like just 20 years ago, I am amazed at how quickly computer and information technology have become indispensable for the vast majority of companies. When a computer freezes, things get delayed. When a network crashes, work ceases!

If you are a small business owner – or manage a small office, say at a church, physician practice or manufacturing plant – you often can not afford an in-house IT staff or specialist, and you may think outsourcing business computer services is too costly for your budget. But what would happen to your productivity, deliveries, record-keeping and other vital information if you had no way to access it or repair a major problem?

If any of the following seven signs apply to your business, then I encourage you to think seriously about finding a good third-party IT services provider:

  1. Your computers and your network are running more and more slowly. This is a big red flag, of course, and usually indicates that a crash is imminent. Continuing to put up with it means inefficiency at best and the potential for losing critical data at worst.
  2. You call your nephew when things go wrong. Although your nephew may be a “genius” when it comes to writing website code, he may not have the experience or know-how to fix your particular systems and hardware.
  3. You have no back-up strategy or disaster recovery plan. If your data is not protected in the event of a systems malfunction or (worst case scenario) a natural disaster of some kind, you stand to lose whatever you’re tracking with your computers. For most organizations, that’s everything!
  4. You are not keeping up with IT updates or using the latest operating systems. If you keep ignoring system updates and upgrades, eventually that will catch up with you. Programs will no longer function or integrate with other, more advanced software and web-based technology.
  5. You are not confident that your network is virus free. Do your computers do “funny things” or seem to have a lot of glitches? If yes, you could have a potentially dangerous virus in your system that can damage or destroy your data.
  6. You’ve outgrown the capabilities of your current network. When your operation grows, the technology must grow with it. If not, you stand a good chance of disappointing customers or missing critical deadlines because your equipment and systems can not keep up.
  7. Your network is unsecured. In a time when data and identity theft are common, you simply can not afford to leave potentially sensitive information unprotected.

If you recognize any of these signs at your business or organization, you are definitely at risk and need to work with a reputable, affordable computer service provider. The company you choose should be well-versed in taking care of assessments, disaster recovery plans, printers and copiers, virus and malware elimination, network and phone cabling, ISP consulting, preventive maintenance and more.

Do you own a small business or manage an office in Northeast Ohio, including Canton, North Canton, Massillon, Akron, Youngstown and beyond? If yes, Graphic Enterprises can help you with IT services. Contact us for more information.

Gearing Up for HIPAA Compliance Audits in IT, Part 2: Business Associates

Business associates are liable under HIPAA Security RuleIf you’re responsible for health IT at a HIPAA-covered entity, you’re probably thinking more seriously about the reality of HIPAA compliance audits, which are getting underway this year. As I discussed in my first post on HIPAA audits a couple weeks ago, the passage of the HITECH Act in 2009 raised the bar on security for protected health information (PHI) and electronic PHI under HIPAA – for both covered entities and what are known as “business associates.”

I’m sure you’re already quite familiar with the term “business associate” and what types of vendors fall into this category (service providers, vendors and third parties that support covered entities). Graphic Enterprises is a dealer of Konica Minolta copiers, printers and document management systems for organizations in Northeast Ohio and Western Pennsylvania; as such, we come under scrutiny because ePHI often passes through our equipment and systems. And we’re just one type of business associate you need to consider. I’m sure you’ve got third-party health plan administrators, CPAs and attorneys, consultants, transcriptionists, pharmacy benefits managers and others in your sights.

So, in the midst of all this headache, what’s the upside for you? It may be a great opportunity for you to get the security upgrades and controls you’ve been requesting for years.

Before HITECH, all the privacy and security requirements between covered entities and business associates were handled via contractual agreements. Historically, the major problem with those agreements was that things were kind of “loosey goosey,” with few standards and criteria to aim for. Now, the responsibilities of a business associate are more defined, as are the liabilities:

  • Security breach notification requirements
  • Cure, terminate or snitch obligations
  • PHI disclosure accounting

We recognize our obligations to provide detailed information about how our products, systems and services meet the requirements of the HIPAA Security Rule. As the one in charge of IT for a covered entity, you have a right and a duty to ask for it. And, in the process, we hope you are given the chance to make your internal health IT systems better than ever!

If you’re part of a HIPAA-covered entity, what kinds of safeguards and security controls are you requiring business associates to document? And, how can a business associate like Graphic Enterprises make audit compliance easier for you?

Gearing Up for HIPAA Compliance Audits in IT, Part 1

Surviving a HIPAA Compliance AuditWhen the Federal Health Insurance Portability and Accountability Act – affectionately known as HIPAA – was passed in 1996, no one was seriously thinking about how things like the Internet, electronic health records (EHRs), cloud computing and smartphones would affect personal health information (PHI). Fast forward 13 years to 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act. Suddenly, there was an intersection between EHR adoption, government incentives and the safety and security of electronic PHI. Thanks to HIPAA, HITECH and other factors too numerous to list here, the delivery of health care services in the United States is changing rapidly and forever.

This year, the U.S. Department of Health & Human Services (HHS), via its Office for Civil Rights (OCR), launches the first HIPAA compliance audits ever conducted. (It only took them 16 years!) The OCR is planning audits of 150 HIPAA-covered entities in 2012, including hospitals, physician and dental offices, labs, nursing homes and pharmacies. Security compliance will be a major part of the audit, and, in today’s world, that rests heavily on IT folks.

I recently read an article that describes information security as the Achilles heel of PHI. Unsecured storage devices, portable devices and the concept of BYOD (bring your own device) make data loss via theft or computer failure a very real issue – and a headache for any health care IT department. Plus, under HITECH, liability for a PHI breach is extended to business associates (i.e. third-party vendors, suppliers, consultants, contractors, etc.). So, if you’re in IT, you have to think about systems security with any business associate you work with.

I know Graphic Enterprises will be considered a business associate by many of our health care customers in Ohio and Pennsylvania who use the copiers, printers and document management systems we provide. In many cases,  our equipment and software play a critical role in both HIPAA and HITECH issues and objectives.

If you’re reading this, chances are good that you’re not among the first 150 entities that are being audited this year. But, you can be sure you’ll eventually be under the microscope.

So, in this series of blog posts about HIPAA compliance audits, I want to help you get ready by discussing some of the IT security issues that face the health care industry and how you can minimize your risk – particularly with business associates and the use of copiers, printers, multi-function printers and document management systems.