Navigating Your ARPA Tech Project Before the 12/31/24 Deadline

The American Rescue Plan Act (ARPA) provided $350 billion in funding for state and local governments to aid in their recovery from the COVID-19 pandemic. This includes funds allocated for rebuilding public sector capacity, which encompasses technology infrastructure.

Here’s what you need to know:

  • Deadline: Governments must obligate the funds by December 31, 2024 and spend them by December 31, 2026. Don’t miss out!
  • Eligible Uses: You can use ARPA funds to purchase technology to address negative economic impacts, including:
    • Rebuilding public sector capacity by rehiring staff or investing in data analysis and technology infrastructure.
    • Implementing economic relief programs through tools that manage applications and reports.
  • Multi-year contracts: ARPA funds allow for multi-year contracts, giving you peace of mind for your project’s future.

HCH Enterprises can help:

  • Navigate ARPA guidelines: We can help you understand the rules and ensure your technology project aligns with eligible uses.
  • Develop a strategic plan: We work with you to craft a plan that demonstrates how technology addresses your specific challenges.
  • Implement the solution: We offer expertise and resources to ensure successful implementation and continued support.

Additional Resources:

How other cities are using their ARPA spend on technology

The National League of Cities, National Association of Counties, and Brookings Institution’s Brookings Metro program have teamed up to create an interactive dashboard that tracks how 152 municipalities are using this relief money. The dashboard allows you to see how cities are investing in a variety of areas, including funding for improving broadband internet access, cybersecurity measures, and tools to help government employees work remotely.

Don’t let this valuable opportunity pass by! Contact HCH today to discuss how we can help your organization leverage ARPA funds for technology solutions.

Protecting your staff from getting “Hooked”

Small businesses face an ever-present threat: phishing attacks. These deceptive cyber schemes can wreak havoc, leading to data breaches, financial losses, and severe reputation damage. To safeguard your small business and ensure your team stays clear of phishing traps, it’s essential to implement robust security strategies and educate your staff about the dangers of these scams.

Unveiling the Phishing Menace

Phishing attacks involve cybercriminals sending convincing emails or messages that appear to be from trusted sources, often mimicking renowned companies, government entities, or colleagues. The sinister objective? To manipulate recipients into disclosing sensitive information, such as login credentials, credit card details, or personal data, or to dupe them into downloading malicious software.

Safeguarding Your Small Business

Employee Training: Your workforce is the first line of defense against phishing threats. Empower them with the knowledge to spot common phishing indicators, like unexpected emails requesting confidential data, misspelled website URLs, or generic greetings. Encourage a cautious approach and emphasize the importance of verifying unusual requests.

Implement Top-notch Security Software: Get strong antivirus and anti-malware software to protect your computers. Keep this software up to date to make sure it works properly.

Harness Email Filtering: Set up email filters to catch phishing emails before they reach your team. Filters can find and flag suspicious messages, making it harder for phishing attacks to succeed.

Activate Two-Factor Authentication (2FA): Activate Two-Factor Authentication (2FA) for important accounts. This means you’ll need to confirm your identity using a second method, like a text message or an authentication app. It adds a layer of protection.

Regular Updates: Make sure all your software, operating systems, and apps are always up-to-date. Cybercriminals often use weaknesses in outdated software to attack.

Create an Incident Response Plan: Create a plan for what to do if you suspect a phishing attack. The plan should include steps to stop the attack, tell the right people, and investigate what happened.

Embrace Encryption: Use encryption to keep your important information safe. Encrypting emails and files makes it very hard for cybercriminals to steal your data.

Check Your Vendors: If you rely on other companies for services or software, make sure they have strong security measures. A breach at one of your vendors could hurt your business too.

Stay Informed: Stay updated on the latest phishing tricks and trends. Cyber threats change, so it’s important to keep learning to stay safe.

Regular Testing: Regularly test your team with fake phishing emails to see if they can spot them. It helps find areas where more training is needed.


By prioritizing employee education, implementing robust security measures, and staying vigilant, your small business can protect its valuable data and reputation from cybercriminals aiming to get your staff “hooked” in their phishing schemes. Contact HCH Sales to access our support and expertise.

Navigating HIPAA Compliance: 10 Vital Pitfalls Health Stewards Must Sidestep

By Chelsea Levesque, Director, Marketing and Communications, HCH Enterprises

In the realm of healthcare, HIPAA (Health Insurance Portability and Accountability Act) stands as a cornerstone for safeguarding patient information. Health stewards, encompassing health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid, share the responsibility of upholding HIPAA regulations to preserve patient privacy and maintain data integrity. This blog sheds light on 10 prevalent HIPAA blunders that Health Plans should evade to ensure compliance and cultivate patient confidence.

Neglecting Comprehensive Staff Training:
Mistake: Overlooking the imperative of comprehensive HIPAA training for staff members.
Solution: Implement consistent HIPAA education sessions for your Health Plans team, reinforcing awareness of HIPAA rules, patient privacy, and adept management of sensitive data.

Lax Access Control Measures:
Mistake: Permitting unauthorized personnel unrestricted access to patient records.
Solution: Set up stringent access controls that limit PHI access to authorized personnel exclusively. Regularly assess and refine access authorizations.

Skimming on Risk Assessments:
Mistake: Omitting regular risk assessments that identify potential vulnerabilities.
Solution: Conduct frequent risk assessments to identify potential security loopholes, subsequently applying robust safeguards.

Inadequate Data Storage Security:
Mistake: Storing patient information on unsecured platforms or devices.
Solution: Encrypt electronic PHI (ePHI), implement robust password practices, and adopt secure data storage protocols to thwart unauthorized access.

Poor Data Disposal Practices:
Mistake: Mishandling the disposal of patient data, both physical and digital.
Solution: Enforce secure data disposal techniques, such as shredding paper records and securely erasing electronic data, to prevent unauthorized access post-disposal.

Overlooking Business Associate Agreements:
Mistake: Failing to establish comprehensive agreements with third-party entities handling patient information.
Solution: Draft comprehensive business associate agreements to ensure third-party compliance with HIPAA regulations when handling patient data.

Absence of a Rigorous Incident Response Plan:
Mistake: Operating without a clearly defined plan to manage data breaches and security incidents.
Solution: Develop and regularly update an incident response plan that outlines steps to address potential breaches with prompt and effective measures.

Insecure Communication Channels:
Mistake: Transmitting patient data via unencrypted emails or other insecure modes of communication.
Solution: Employ secure communication methods, such as encrypted email services, to fortify patient data protection during transmission.

Disregarding Patient Rights:
Mistake: Ignoring patients’ rights to access, amend, and request copies of their health records.
Solution: Establish streamlined processes to promptly fulfill patient requests for their health information, respecting their rights diligently.

Insufficient Documentation:
Mistake: Failing to maintain meticulous records of HIPAA compliance efforts.
Solution: Keep detailed records of training sessions, risk assessments, policies, and procedures, ensuring comprehensive documentation to demonstrate compliance when required.

Health stewards bear the onus of upholding patient privacy and adhering to HIPAA regulations. By avoiding these prevalent HIPAA pitfalls and adopting proactive compliance measures, they can secure patient data, bolster patient trust, and shield themselves from potential legal and financial repercussions. Embrace the continuous commitment to HIPAA OSHA compliance, fortifying patient-provider relationships and cultivating a secure environment that benefits both patients and healthcare providers.

We specialize in providing comprehensive OSHA and HIPAA compliance solutions, including certification, tailored to the unique needs of your business. Stay ahead in the compliance game and fortify your commitment to #patient-centric care with us today!

#PublicSectorConsulting #HIPAACompliance #HealthcareIntegrity #PatientPrivacy #HealthPlans #Medicare #Medicaid #HealthInsurance #HMOs #DataSecurity #OSHA

SecurityBeat: China 10x U.S. in Cyber Command Staffing

DOJ Prosecutes Individuals Scamming Federal Funding

Ten people have been charged by the U.S. Department of Justice (DOJ) for their alleged roles in business email compromise (BEC) scams. These scams were aimed at a wide range of victims, including federal funding programs like Medicare and Medicaid.

More than $11.1 million was lost as a result of these attacks, with the money stolen by fooling victims into diverting bank transfers to the scammers’ accounts.

Daixin Team Behind Ransomware Attack on AirAsia

A cybercrime group known as Daixin Team has leaked sample data belonging to AirAsia, a Malaysian low-cost airline, on its data leak portal.  The threat actors claim that they have access to the personal information of all of the company’s employees and five million passengers. The samples uploaded to the leak site include employee personal information, passenger information, and booking IDs.

The U.S. cybersecurity and intelligence agencies recently issued an advisory about Daixin Team, warning of attacks primarily targeted at the healthcare industry.

Increasing Cyber Risk in the Transportation Industry

Ransomware activity continues to increase globally despite efforts by businesses to boost their cybersecurity. While some industries have doubled or tripled their protection, others are still vulnerable and are finding themselves being targeted by cybercriminals.

According to The Threat Report: Fall 2022 from Trellix, the third quarter of 2022 saw ransomware activity double in the transportation and shipping industry. The report includes evidence of malicious activity linked to ransomware and nation-state-backed advanced persistent threat (APT) actors. It examines malicious cyber activity including threats to email.

China 10x U.S. in Cyber Command Staffing

China’s focus on enhancing its cyber capabilities over the past decade “poses a formidable threat to the United States in cyberspace today,” according to a report released by a congressional advisory commission.  The U.S.-China Economic and Security Review Commission’s 2022 Annual Report to Congress assessed a range of threats to the U.S. economy and national security, including Beijing’s cyber warfare and espionage capabilities.

Rackspace’s Hosted Exchange Environment Held Ransom

Four days passed from the time Rackspace disclosed that its customers were experiencing difficulties with the company’s hosted exchange environments until advising that the incident was in fact a ransomware attack. The impairment was promoted to a security incident on day 2 with in-place recovery being so difficult that the company reluctantly notified customers that their email services were migrating to Microsoft 365 on day 4.

Who is Monitoring Your DNS Communications?

For nearly forty years, we stopped manually sharing host information and began relying on the Domain Name Service (DNS) to get the address of the system we need to communicate with.  DNS is one of the few protocols we allow to communicate freely without restriction. Why would we need to protect our systems query of the network’s address book?

In a recent report published by Pentera, we find that attackers can use DNS tunneling to communicate with air-gapped networks. Organizations often use air-gapped networks to isolate their sensitive assets.

The takeaway is twofold.

  • First, completely air-gap your sensitive assets by disabling DNS and using hostname tables.
  • Second, consider using special monitoring solutions to inspect and prevent suspicious DNS traffic from traversing your network.