HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 20 – Patch Tuesday Never Disappoints

By March 13, 2020 March 16th, 2020 No Comments
Episode 20 - Patch Tuesday Never DisappointsFB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Coronavirus has Taken Over, Patch Tuesday Never Disappoints & HIPAA Stats to Perk You Up

This is Episode 20!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback. What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

QOTW: Is there a checklist that can be used to perform a HIPAA audit?

Patch Tuesday Update:

Google Chrome 80.0.3987.132 (Update)
Microsoft March 2020 Patch Tuesday Fixes 115 Vulnerabilities
Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw
Microsoft Releases Out-of-Band Security Updates for SMB RCE Vulnerability

Cyber Security News

Ryuk Ransomware Behind Durham, North Carolina Cyberattack

New US Bill Aims to Protect Researchers who Disclose Govt Backdoors

Ransomware Threatens to Reveal Company’s ‘Dirty’ Secrets

HHS finalizes interoperability rules: 7 things to know

CISA Warns Against COVID-19 Cyber Scams and Provides Security Tips

Fake Tech Support Company Dupes 40K Victims Out of $8m

Topic 1: Working from home: Getting your team ready for the switch

Topic 2:  Apple: This is how you should disinfect your iPhone, iPad, and Mac

Topic 3:  Live Coronavirus Map Used to Spread Malware

HIPAA Corner: 

Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Episode 20 - Patch Tuesday Never Disappoints PIN

Transcription (unedited)

This is the proactiveIT podcast this week the latest in it in cybersecurity news, plus coronavirus has taken over Patch Tuesday never disappoints in HIPAA stats to perk you up. This is Episode 20 Hi everyone, welcome to the productive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by wash tech a client focused and security minded consultant located in Central Connecticut, you can find us at unwashed check. COMM that’s NW Aj tech.com. Alright everyone, as always, thanks for joining. Thanks for listening to the podcasts. We do have a question of the week. But before we jump into that, wherever you’re listening to this, if you could like, share, comment, review it, tell someone else about it, send up smoke signals, whatever it might be greatly appreciated, because if the more you share, the more people are informed, the more people are informed, the less likely we are to be become victims of phishing attacks, ransomware attacks malware and hacking in general. Also, if you are in a HIPAA compliant business, please go to Facebook type in get HIPAA compliant cat get HIPAA compliance in the search and join the group because we share lots of HIPAA news and knowledge and so forth in that group and it will it will great Improve Your HIPAA awareness in your business and in your life. All right, so Question of the week. Is there a checklist that can be used to perform a HIPAA audit? The short answer is no. The long answer is you can use a checklist as sort of a guideline. But the problem is that every business every every healthcare business is going and every business associate that was also required to do a HIPAA audit. By the way. Every business is going to be unique. So the HIPAA audit from my business and IT business is going to be different than that of the dentists down the street. Because we have different different things we we need to look at. I don’t I don’t host any client files here. But the dentist does. I don’t know I probably have better security than they do. So there’s different things that need to be looked at and addressed depending on your security risk assessment in your entire HIPAA audit. I don’t have a sign in sheet at the time. Front Desk. Maybe they do. I hope they don’t because they shouldn’t. But maybe they do. Also, the HHS does have a tool, a free tool that you can download on their website for for the security risk assessment portion of this HIPAA audit. And that’s really it’s all it is some questions and so forth. Now we partner we partner with HIPAA secure now to help with the audits because it does help us kind of stay organized with the audit, I guess you could say. So that is something to think about. But there’s not really a checklist per se, there are lots of checklists out there and I have checklists on our website, as well. But that’s not really an audit. It’s just kind of a guideline to follow to get you started really as all it is. So hopefully that helps you answer that question. And if you need further clarification, just let me know. For Patch Tuesday it is Patch Tuesday week, second Tuesday of the month. Well Have updates to Google Chrome and Firefox to start off with Firefox just updated last night for my clients. shimmy version 74. Now, there were lots of Microsoft updates this week there was 115 total patches. And I don’t remember the number but there were a number of critical patches involved with that here there’s 100 115 vulnerabilities of which it looks like 24 are critical. Most of those don’t having something to do with remote code execution or the scripting engine. There is there while there is a big vulnerability windows SMB v3 tractor CVE 2020 dash 0796 that was not patched on Tuesday. However, there was a patch released yesterday for so you’ll need to get that patched ACP as well. ASAP. That is a warm mobile vulnerability meaning it can spread from computer to computer. So once it’s compromised, it will jump around to other computers. And if you recall, SMB v one was the vulnerability that that wanna cry used. So you want to get that addressed as soon as you can. Intel also released a bunch of security updates for various products. So if you see an update for Intel, you’ll want to get that updated because it does address some vulnerabilities. I’m reading most of this updates from from the systems website so you can go there and look at the list of the updates that are available. Not as many as the was in genuine February. But you have some from Intel from of course from Microsoft Google Chrome update two dash two dot 132. And I’m sorry, yes dot 132 and in Firefox 74. And then so that does it for the updates portion of the show. We will move on to our news. All right, so we have a little bit of news. It’s actually been pretty quiet Newsweek. I mean, relatively speaking that is, but we do have some news. So first up on the bleeping bleeping computer Rio Grande somewhere behind Durham, North Carolina cyber attack. So Durham, North Carolina, the municipality was attacked last weekend has shut down and they did shut down their network. I haven’t seen an update for this, so they did shut down the network after server suffering a cyber attack by Raghu ransomware. This weekend, it was confirmed that it was a Russian hacking group. Local media reports that city hall victim fell victim to a phishing attack that ultimately led to the deployment of the rival ransomware on their systems. According to the FBI, the ransomware named Rioch was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once inside, right you can spread across network servers to file shares to individual computers. To prevent the attack from spreading throughout their network. The city of Durham has temporarily disabled all access into the DCI network for the Durham police department, the Durham sheriff’s office in their communication center. This has caused the city’s 911 call center to shut down and for Durham fire derms Fire Department to lose phone service 911 calls, though are being answered there probably have been rerouted. While they have not seen signs that data has been stolen, the city was warned that users should be on the lookout for phishing emails pretending to be from the city of Durham. So another case of municipality probably not being prepared for that obviously not not much for fishing education going on there. A new US bill aims to protect researchers who disclose government backdoors so this is kind of good news. This is also reported on bleeping computer new legislation has been introduced that amends the Espionage Act of 1917 to Protect Journalists, whistleblowers and security researchers who discover and disclose classified government information. The goal of new legislation is to amend the Espionage Act of 1917. So it cannot be used to target report reporters, whistleblowers and security researchers who discover and publish classified government secrets concerned that the current laws are being used for partisan prosecution. Us representatives ROH Khanna, Democrat of California introduced a new legislation to Congress on March 5 2020, and US Senator Ron Wyden democrat from Oregon will soon introduce it to the Senate. And then it goes on to talk about the deeds some of the details of the bill. But it raises an interesting point. So the Espionage Act of 1917 more than 100 years ago, means it’s time to update that act time to update those laws. Right. And I think that’s true for a lot of laws that we still hold on to that we keep close to our chest in this country. Some of those laws need to be updated and can’t. You can’t live on something that was created over 100 years ago and expect it to still be relevant today. Also bleeping computer ransomware threatens to reveal company’s dirty secrets. The operators of the pseudo Soto key be ransomware threatening to publicly share a company’s dirty financial secrets because they refuse to pay the demanding ransom. As organizations decide to restore their data manually or via backups, instead of paying ransoms, ransomware operators are escalating their attacks and new clothes by De Soto can Eb operators to their data leak site. We can see that attackers are not only publishing victims data but also sifting through it to find damaging information that could be used against the victim. In the above post the attackers are threatening to sell social security numbers and dates of birth of people in the in the data to other hackers on the dark web. So you can see on the article there’s an image here from from from breach that they committed where they have data. It is only a small part of the data. They also intimate that they found dirty financial secrets in the data and threatened to disclose it in in their quote is it’s only a small part of our data of your data and it’s in picture for now. Every day more and more information will be uploaded social security numbers and dates of birth and other information about people will be sold in dark web to people will use them for their probably dark deals. After revealing people’s personal data, they will be informed who is guilty and publications. There’s also other interesting information your financial reports are very interesting and dirty these secrets will be revealed a little later to certain people. So what does that mean? It means if you are doing something a little less than ethical when it comes to your finances and your business, you’re going to want to take a look at your security because if they grab it, they’re going to expose you so now you’re looking at a double edged sword here, because now you’re gonna have to deal with them and you’re gonna have to deal with the authorities on HR Just finally is interoperability rules. Seven things to know, this was reported on Becker’s hospital review.com. And so I’m just going to go through real quick here the two rules issued by the OSC and CMS. Support the My Health Data initiative in the 21st Century Cures Act. Seven things you need to know about the finalized rules. Number 1201. c. Final Rule pinpoints necessary activities that do not constitute information blocking and establishes new regulations to prevent information blocking practices by providers, health IT developers health information exchanges and health information networks. To under these new rules, EHR users will be able to share health records data in formats such as screenshots or video rule outlines. new provisions for health IT developers to ensure that providers using their products can communicate about health IT usability, user experience, interoperability, and security using virtual method visual methods. Number three own CS final rule also requires hrs To provide necessary clinical data include data classes to promote new, new business models of care. The rule supports the advancement of common data through the US core data for interoperability, which is a standardized set of health data classes and data elements used for nationwide Health Information Exchange, and before on CS final rule also establish a standardized Application Programming Interface requirements to support patients free access and control their electronic health data via smartphone app of their choice. Number five CMS is interoperability and patient access final rule requires Medicare Advantage Medicaid, CH IP and federal exchanges health plans to electronically share claims data with patients beginning January 21 of 2021. The patient access API requires that this is number six to patient access API required by CMS will allow patients to access their health data through any third party app. They pick to connect to the API and will integrate a patient health plans information with a patient’s EHR. Patients can take their health and claims data with them as they move from different health plans and providers, and number seven under CMS final rule, the agency will establish a new condition of participation for all Medicare and Medicaid participating hospitals, requiring them to send electronic notifications to other health care facilities or community providers. When a patient is admitted, transferred or discharged beginning April 1 2022. CMS will also require states to send enrollee data for beneficiaries enrolled in both Medicare and Medicaid. So that is on Becker’s hospital review Comm. You can go review the rest of that with links to the actual documents there. System warns against covert 19 cyber scams and provides serious security trips, security tips, so So there have been a number of covert 19 cyber scams already, most of them around phishing, but there are others. So Cisco has issued a warning. You can see that on the Cisco’s website and there is a guide as well for it. So You can review all of that. But So in short, the HHS, the who, and CDC, all those agencies, they’re not going to proactively email you or contact you. You have to be on their list for them to do that. You should not click on any links or download any documents that purport to be from those agencies. If you have not signed up for the mailing list, even if you do, I would, I would, you know, be very cautious. Also any websites claiming to have a vaccine or a cure, those are not real. Just ignore them and close them. Don’t visit those websites. Essentially, in there, there are more and more being created rapidly, and I’m receiving emails and notifications every day about new scams, there is a map that shows the number of cases of cobit 19 as well as as well as on number of People that have recovered and the deaths and so forth. The only legitimate one is on john hopkins website in I believe it’s corner corner coronavirus.jhs.edu I believe is what it was. And if you want to use that great use that otherwise don’t because what people are she is coronavirus j hq.edu. what people are doing is using this map to hide malware on their sites and in doing so, people are installing malware on their computers. And then finally, we have fake tech support company. This is info security dash magazine.com fake tech support company to 40,000 victims out of $8 million. So a college dropout has admitted using malware and fake This is in India in fake I think it was India. If yes India in fake tech support company to con 40,000 victims out of millions of dollars a former engineering student at MIT Chauhan. Set up a bogus tech support call center call company called tech support in January 2019, together with his accomplice and in Qian resident Sumit Kumar johanne ran the center from upskilled UDR Vihear area of Guru guru Grom is city just southwest of New Delhi in northern India. victims are called up the fake company. For technical support, were asked to go online and click on a particular pop up. When they did malware was activated that stole the victims financial data, Chow Han admitted to police that he and Kumar had used a fake company and malicious pop ups to dupe over 40,000 foreign nationals out of more than what is works out to 8 million US dollars. And this was in just over a year. So they started in January of 2019. So keep that in mind before you pick up the phone and dial someone randomly. You know, because you have a pop up in your screen. And that’s exactly what it was was a pop up in the screen saying your computer, you know something like your computer’s been compromised. Call us here’s the number and we’ll help you Let’s do a little focusing. Obviously, again, Nicole, but 19 Corona virus is taking ahold of our country and the world as a whole. So we’re going to talk about a topic that has come up quite a bit in the last week or so, at least here where I am in the world and that is work from home. So the global spread of the Cova 19 coronavirus means more of us will be working remotely. CIOs need to help their businesses and employees deal with this change now and in the longer term and this is on CD net. So So now what I’m going to go over the supplies to smaller businesses who don’t have a CIO that would be someone like me in this case, That would would handle your it and we would set you up to work from home. So the risk of kovat 19 infection means it executives are swapping the airport lounge and or conference hall for a desk at home in a video conferencing link. companies around the globe are making a sensible decision to encourage working from home and drop travel plans. While many major IoT conferences have been pushed online or postponed. For many people that work in the technology sector. The normal way of doing business meeting and greeting in locations around the globe has been put on hold. We’re still still in the early very early days of the pandemic, so it’s hard to know how long the situation will remain in place. In a q&a on its website. The European Center for Disease Prevention and Control says simply that it’s not possible to predict how long the outbreak will last and how the epidemic will unfold. The human cost is already huge with thousands of confirmed cases and deaths globally. Even for the people who don’t suffer from the infection. The potential impact in terms of disruption to daily lives is huge. Analysts Gartner says Cova 19 has the potential to be as disruptive To an organization’s continuity of operations as a cyber intrusion or a natural disaster. Researcher Forrester Meanwhile, says the central role of technology in business operations means that it leaders have a crucial roles. crucial role. CIOs should be helping their businesses prepare for increased remote working. During the corona virus outbreaks is Andrew Hewitt. analyst at Forrester. Primarily, they should be revisiting the technology stack that’s essential for remote work and ensuring that it has the capacity to meet increased demand when more employees start working from home. Creating an action plan for remote work in some businesses will not be straightforward. Gartner, some senior research director, Sandy Shen says coronavirus is a wake up call for organizations that have chosen to focus on daily operational needs at the expense of investing in digital business and long term resilience. Very true By the way, businesses in his position must turn to the cloud for IT leaders looking to get more to get remote workers up and running. Quickly foresters suggest focusing on three core areas first, collaboration ensuring employees have access to video conferencing technologies know how to use them and have them installed ahead of time. Second information access ensure employees can get access to their most important work files and documents so they can maintain their productivity while working from home tools like file sync, and share such as Dropbox box OneDrive, are essential during this period. And security ensuring employees are taking the right precautions to protect enterprise data that’s in remote location. This could mean having employees update their passcode prior to working remotely and urging employees to transfer files to cloud based systems to avoid overloading VPN systems. However, getting technology in place is just one part of the remote working puzzle just as some firms have been slow to make the most collaborative technologies. Some others have been slow to take advantage of the more flexible ways of working that digital h allows. Present. presenteeism means the norm for many companies, the Chartered Institute of personal development, so just more than 450 have employees have observed presenteeism in the form of going to work when it’ll in your organization? that’s a that’s a lot of people 83%. A quarter say that the problem has gotten worse than the past 12 months. When the potentially devastating impact of cobit 19 comes into play, then the perception perception from employees that they must turn up to work whatever the personal cost starts to look even more dangerous. In many ways, our preparedness to allow people to work flexibly hasn’t advanced as quickly as the technology that affords this transformation. Whether they’re ill or well. Many employees still suffer from nagging sense of guilt if they not seen sitting at a desk in an office all day in managers perceptions add to that feeling of guilt. So what does that mean for small businesses? So you could set up work from home for your employees fairly easily. I know all of my clients. Almost all of my clients have their file share set up so that it can be accessed from anywhere with their computers. Some of them require extra licensing and so forth to get it moving forward for work from home. But that’s okay, that’s not a big deal. There there is Remote Desktop options now with remote desktop comm remote Windows Remote Desktop comes risk. And so if you’re going to use that you should be doing it over VPN. And so if you don’t have VPN, or if you don’t have VPN, you shouldn’t use it. But there are other options out there to allow that to happen. You do have things like Dropbox OneDrive, that will work great for temporary solutions depending on the size of your business. If you’re a if you’re a large business, you’re not going to want to use OneDrive may not be the best option or Dropbox may not be the best option but a smaller, you know, five, six people business that could work. I think the most important thing is going to be security so nothing changes in all my clients are either on G Suite or office 365. And now we’ll work anywhere. With multi factor authentication, of course we’ll have to do a little extra work. But it’s not nothing that can’t, can’t be overcome collaboration software so you do have slack and team, Microsoft Teams to communicate. You also have zoom in in similar software out there to allow for videoconferencing, zoom, probably being the easiest and most common at this point. And most affordable. So these are all things that it’s easy to accomplish now. And so this is what we should be looking at. Businesses for the most part can do work from home or at least partially work from home. I get there are some businesses that can restaurants you can’t you know, healthcare, you really can’t. Some parts of healthcare, you can’t other parts you can’t. So it can be done. And it should be done. If you’re not if it’s not necessary to be an office it should be work from home. If you’re going to need to purchase hardware, you’re going to want to do that ASAP because there is going to be a shortage on some home. hardware, including laptops, I suspect and there already was a shortage on Intel processors. So I expect that there will be more shortages coming soon. So that’s going to that’s going to take care of that topic working from home It is an option and I think almost every industry is capable of doing that the only ones that aren’t are the ones that need to be hands on. So if you’re your healthcare providers, you know, nurses, doctors so forth, not gonna be able to work from home but minimize your exposure I guess would be best. You know, your restaurant workers and to some degree people that are needed in grocery stores, food delivery and pharmacies and things like that. Some of that is going to be going to need to be people in person. If there’s things like plumbing or electrical that need to be done, you can’t do that remotely. So next up, we have an article here Apple, this is how you should disinfect your iPhone, iPad and Mac. I thought this is interesting because Well, I thought it was interesting for two reasons. So I’ll get to that. One is the timing of it. They actually put this out just before the outbreak, even though the article says March 10, but they announced this before and so I thought it was important. And this is Apple. So the same is probably true of most tablets and phones. But don’t mess it up because liquid damage isn’t covered under Apple warranty or Apple care a few weeks ago, Zd net posted as simple as it turned out timely question over on Twitter. How often do you disinfect your smartphone? Two thirds of the respondents answered never my kids are part of that two thirds for sure how things change and quickly now that coven 19 coronavirus has reared its ugly head sanitizing gadgets that we hold in our hands and pockets all the time, take to the bathroom with us, and then hold exceedingly close closely. So to the orifices on our faces makes more sense. Apple has updated its how to clean your Apple products and show to risk in response to Corona virus to include information on how to sanitize all things Apple, Apple recommends using 70% ice appropriately. Alcohol wiper Clorox Disinfecting wipes to gently wipe this hard port non porous services of your Apple products such as display, keyboard or other exterior services. Sounds simple but there are caveats. Don’t use bleach, that should be a no brainer. Avoid getting moisture in any opening. Don’t submerge Apple products in any cleaning agents and don’t use this effect on fabric or leather services. Also owners of Apple’s $6,000 Pro display xDr monitor featuring is nano texture class need to be aware that the device has its own special cleaning instructions. Failing to follow this care instructions could damage the display. Apple is also keen to point point out that if during the cleaning process any liquid makes its way into the product you could be in a world of hurt and that the liquid damage isn’t covered under the Apple product warranty or Apple care protection plans. So take care today. Prevent liquid damage and bear in mind, Apple is good at spotting liquid damage it generally give disinfecting wipes a gentle ring to remove excess moisture moisture. Apple also has a big list of do’s and don’ts use only soft lint free cloth. Avoid abrasive cloth towels, paper towels or similar items. avoid excessive wiping which might cause damage. Unplug all external power sources services and cables keep liquids away from product unless otherwise noted for specific products. Don’t get moisture into any openings don’t use aerosol sprays bleaches or abrasive and don’t spray cleaners directly into the item. And in our last focus is I mentioned it a few minutes ago the coronavirus maps. So this is on Krebs on security cyber criminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cyber crooks have started disseminating real time accurate information about global infection. It’s tied to the corona virus covert 19 pandemic and a bid to infect computers with malicious software. And one scheme an interactive dashboard of coronavirus, infections and deaths produced by john hopkins university is being used in malicious websites and possibly spam emails to spread password stealing malware. Late last month, a member several Russian language cybercrime forums began selling a digital Corona virus infection kit that uses the Hopkins interactive map as part of the Java based malware deployment scheme. The kit cost $200 if the buyer already has a Java code or signing certificate in $700. If the buyer wishes to use the seller certificate, it loads a fully working online map of Corona virus infected areas and other data. The seller explains map is resizable interactive and has real time data from World Health Organization and other sources. Users will think that preloader is actually a map so they will open it and we’ll spread it to their friends and it goes viral. The sales thread claims the customer’s payload can be bundled with Java based map into a file name that most webmail providers allow sent messages the seller claims in your demonstration video that Gmail also allows it but the video shows Gmail still warns recipients that most webmail sorry restores recipients that downloading a specific file type in question obscured in video can be harmful. The seller says the user victim has to have Java installed for the map and exploit to work but that it will work even on full fully patched versions of Java loader loads JAR files, which has real working interactive coronavirus, detailed real time data map and a payload can be separate loader. The seller said in the video loader can pre download only map and payload will be download and will be loaded. After the map is launched. To show map faster to users, or vice versa payload can be pre downloaded and launched first, it’s unclear how many takers the seller has had. But earlier this week, security experts began warning of new malicious websites being stood up that used interactive versions of the same map to distract visitors while the site’s tried to foist the password stealing A’s or a z o route malware so it’s easy oh are you lt as long as the pandemic remains front page news malware surveyors, purveyors will continue to use it as lawyers to share to snare the unwary. Keep your guard up and avoid opening attachments sent in unhidden in emails sent unbidden I don’t know what that means sent unbidden, maybe supposed to be honored, even if they appear to come from someone you know, it tip of the hat sort of hold security for heads up with this malware offering. So that the map and I mentioned it already. If you go to coronavirus j hq.edu. You will see an interactive map that includes the number of total deaths, total confirmed cases total recovered and so forth and you can drill down to areas and see How many cases and all the stats so that one is legitimate coronavirus jq.edu. But then what people are doing is taking that map and including it in their websites and their downloads, and then wrapping it with malware, essentially, and this is causing this is what’s causing the problems. So don’t download that map if you need to, if you want to look at it or need to look at a Corona virus, Jay chou.edu and Corona virus is spelled co RONAVIR. us Jq. edu. Hopefully that helps curb the spread of malware. Because you know, I’m sorry, it’s so coronavirus that Jay chou.edu slash map dot html. So, again, hopefully that helps curb the spread of the malware and we can eliminate any damage caused by, you know, this this malicious type of activity. Alright, let’s do a little HIPAA education and we did have our first HIPAA enforcement of 2020 healthcare provider pays $100,000 settlement to OCR for failing to implement HIPAA Security Rule requirements. And this is going to be a pure case of negligence, as you’re going to hear, I actually shared Roger Severino, his quote on Instagram and a few other social platforms this week. So you can go look for that. The Instagram is to wash tech and wha tech, but also read it here. So hip healthcare provider pays $100,000 settlement OCR for failing to implement HIPAA Security Rule requirements. This is the press release from the OCR. The practice of Steven a porter MD has agreed to pay $100,000 to the Office of Civil Rights at the US Department of Health and Human Services and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act. Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3000 patients per year in Ogden, Utah. OCR began investigating Dr. Porter’s medical practice after a file the breach report with those who are related to the dispute with a business associate. OCR investigation determined the Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the operate throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach, and failed to implement security measures sufficient to reduce risks and vulnerabilities to reasonable and appropriate level. So what does all that mean? Essentially what happened was Dr. Porter filed a dispute with a business associate. And I don’t know what if the agreement has that information? I don’t think it does. But in an investigation, the OCR investigated the whole thing and determined that Dr. Porter never conducted a risk analysis, which is part of the HIPAA rules, right? and said, Hey, you need to do this, you need to do a security risk analysis and you need to do a, b and c, for your HIPAA to be HIPAA compliant. And they didn’t do it. So, OCR came in and said do this. And you’re good to go. They didn’t do it. They ignore the OCR. And then the OCR came back and said you didn’t do it. And now we’re going to have to find you. So there probably was a fine much more significant $100,000 Dr. Porter and UCR negotiated down to 100,000. And so here’s the quote from from Roger Severino all healthcare providers large and small, small, again, small, I’m going to say it again small It doesn’t matter how small you are. Like I said, I work with a one person, psychiatry psychiatric practice, just one person. He has his wife do the billing, and he does everything else. One person, so it doesn’t matter how small you are all health care providers, large and small, need to take the HIPAA obligation seriously said OCR director Roger Severino. The failure to implement basic HIPAA requirements such as an accurate and thorough risk analysis and risk management plan continues to be an unacceptable and disturbing trend within the healthcare industry. Now, that said so, the failure to implement basic requirements such as an accurate and thorough risk and Because in risk management plant, meaning they didn’t do the analysis and only they did not do the analysis, but the word things that needed to be addressed that they also didn’t do. I thought I saw that this goes back to 2013. But for some reason, I’m not seeing that now. And let’s see if it’s in agreement. But um, so, what does that tell you? It tells you don’t care how small you are, that you will have to you still have to you still fall in fall under HIPAA, the HIPAA rules. You fall under HIPAA, if you transmit health care pH is protected health information electronically to an insurance company. And as long as you do that, then you fall under HIPAA and you’re in the US, of course. So, okay, so it does include the name of the business associate, which is elevation 43. Okay, now I remember this so yeah, I think elevation 43 is was an EMR EHR electronic health record company. And they the Dr. Porter didn’t pay them they owed him $50,000 and Rif. So the elevation 43 refused to allow access to the pH I to Dr. Porter. Until elevation 43 paid 250 thousand until I’m sorry, Dr. Porter paid 250 thousand dollars. So, and here’s what so I’ll read the factual background. OCR initiated a compliance review of the practice following receipt of the practices breach report. It was 2013 on November 21 2013. So this is six and a half years ago. The practices breach report claim that elevation 43, a business associate of Dr. Porter’s electronic health record company was impermissibly using practices patient’s electronic protected health information by blocking the practices access to such EPA Chai until Dr. Porter paid elevation 43 $50,000 OCR investigation of the practice revealed that practice demonstrated significant non compliance with HIPAA rules and the following covered conduct occurred. The practice failed to implement policies and procedures to prevent detect containing incorrect security violations. Specifically, the practice has failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality integrity and availability of its pH I. Further the practice fail to implement security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level 45 CFR 164 dot 308 a one. The practice permitted Dr. Porter’s EHR company to create receive maintain or transmit EPA Chai on the practices health behalf at least since 2013. without obtaining satisfactory assurances that the EHR company will appropriately safeguard the EPA chai tea so in addition to the hundred thousand dollar settlement Dr. Porter is will be, will be, will have a corrective action plan in place for two years with the HHS. And so what that means is that the HHS is going to oversee and ensure that everything is done the way it’s supposed to be done for HIPAA. And that’s for two years, and they’re going to have milestones where they have to say, this is done, this is done, this is done. And that’s for two years. So that’s going to cost them some money to it. So that’s something to think about there. And if they if at any time during that agreement, you know, they they again, show they’re negligent, then you’re potentially looking at more fines. So you could read the entire agreement, as well as the press release, which I read already on hhs.gov site for HIPAA breach. settlements, HIPAA breach enforcement’s and You know, what do we learn from this? What we learned is that if, and I’ve said this before, so if OCR comes in and says, Hey, you need to do this A, B, and C, you should be doing a, b, and c, because they’re not going to tell you again, next time, we’ll be fine. And and I think even in this case, the corrective action plan is going to cost more than the settlement. I don’t know what the original agreement what the original fine would have been. But in this case, I’m sure it was more than $100,000. In this case, the corrective action plan is probably going to cost more than the actual settlement itself. This is a case of pure negligence, meaning the doctor Porter didn’t have any intention of doing the right thing under HIPAA. So something to think about for your smaller practices, as you heard Roger, Roger summary and was quote, something to think about when you say, well, HIPAA doesn’t apply to me or, you know, I’m not going to do this. It’s too much work or you know, whatever whatever the excuse and is an excuse, whatever the excuse is. You need to stop with the excuses and start listening to the OCR and to some degree Listen to me. All right, we don’t have who this time for the HIPAA breach report. We don’t have a lot this week and I suspect it’s because the HHS is dealing with the kovat 19 outbreak. But let’s go through what we have. The University of Kentucky has been battling to remove malware that was downloaded on its network in February of 2020. cyber criminals gain access to the UK network and installed cryptocurrency mining malware that was used to use the processing capability of the UK computers to mine Bitcoin and other cryptocurrencies. The malware caused a considerable slowdown of the network with temporary phase of its computer system causing repeated daily interruptions. To day to day functions in particular at UK healthcare. UK believes the attack was resolved on Sunday morning after a month long effort. On Sunday morning UK performed a major reboot of its IT systems a process that took around three hours. UK believes the attackers have now been removed from its system, and although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States UK healthcare which operates UK Albert B. Chandler hospital and good Samaritan Hospital in Lexington, Kentucky serves more than 2 million patients. While computer systems were severely impacted at times patient care was not affected and patient safety was not part put at risk. And internal investigation was launched and third party computer forensic specialists were engaged to assist with the investigation. University speaks spokesman j plan said it was hard to determine whether any sensitive data was viewed or downloaded to believe is that malware attack was solely conducted to hijack the Avast the device processing capabilities of UK network to mind cryptocurrency Arkansas Children’s Hospital reboot systems to deal with cyber security threat. Arkansas Children’s Hospital in Little Rock has experienced a cyber attack that has impacted Arkansas Children’s Hospital in Arkansas children’s Northwest its IT systems have been rebooted in an attempt to deal with the cyber threat and third party digital forensics firm has been engaged to assist on the investigation. The exact nature of the threat has not yet been disclosed and it is currently unclear when the attack will be resolved. All facilities are continuing to provide medical service to patients but some non urgent appointments have been rescheduled. As the investigation is ongoing and doesn’t have a date, I’m assuming it was within the last few days. We have a report here that says 53% of healthcare organizations have experienced a pH I breach in the past 12 months. I did report this in an earlier episode of the productive it cybersecurity daily. So I’m just gonna skim real quick today. 2019 Global state of cybersecurity in small and medium sized businesses a report from keeper security shows approximately two thirds of healthcare organizations have experienced a data breach in the past and 53% have experienced a breach of protected health information in the past 12 months. That is pretty scary. survey was conducted by ponemon Institute on 2391 it and IT security professionals the United States UK, da CH, Benelux and Scandinavia including 219 respondents from the healthcare industry so it’s a small sample when you compare it to how many healthcare providers are all around the world, but in that sample 53% have experienced a breach of pH AI and the last 12 months and then one other two other HIPAA breaches sorry relational insurance Inc and insurance brokerage firm doing businesses relation Insurance Services of Georgia. Rs R is G experienced in email security breach in August 2019. No unauthorized individual Who was discovered to have gain access to the email account of an employee and potentially viewed or copy emails containing protected health information. The breach was detected on August 15, when suspicious activity was detected in the email account. A third party computer forensics firm assisted with the investigation and determined that the account was accessed by an unauthorized individual between August 14 and 15th. On August 16, ri s g determined the account contain pH I. However, it took until December 13 2019 for a full review of the account to be completed to determine which individuals have been affected and exactly what information was potentially compromised. account was found to contain a wide range of information which differed from individual to individual the breached PHA may have included name address telephone number, email just did a birth driver’s license number social security number passport number, state issued identification number copies of marriage or birth certificates account and routing number, financial institution name credit debit card number, pin expiration date treatment information prescription information provider name, medical record number patient ID, health insurance information treatment costs medical history, mental or physical condition diagnosis code procedure type procedure code, treatment location, admission date, discharge date, medical device number and date of death. And then another breach Jefferson, Wisconsin based rainbow hospice care Inc. has discovered an employee’s email account has been accessed by an unauthorized, individual and protected health information of 2029 current and former patients have been viewed or downloaded. 33rd party forensic investigators were engaged to investigate the breach while they confirm that the call has been accessed by an unauthorized individual they were unable to determine whether any patient information was accessed or exfiltrated. An analysis of the compromised account revealed it contained patient names, dates of birth treatment information, medical record numbers and social security numbers. Patients have been notified about the breach I’ve been offered complimentary credit monitoring. In this case, it doesn’t say when the breach happened. So I don’t know. But the previous one, we talked about relational insurance relations services of Georgia did not comply with the 60 day Breach Notification rule. And in both cases, we’re still seeing, you know, these phishing attacks that are that are succeeding. So not good news. We’re just we’re just continue to not have accounts that have been multi factor authentication. We continue to have accounts have pH I email accounts with PH I in them, it doesn’t shouldn’t happen. And we continue to not have phishing mitigation, phishing, training and testing. So that is it for the HIPAA breach report. I told you that it is a light week for HIPAA breaches again, probably due to the kovat 19 outbreak. I’m sure HHS is quite busy with that. With that being said, stay secure Until next week, and stay healthy. Just be extra vigilant when it comes to anything digital related, you know, especially emails, text messages, and things like that. Don’t click it. If you didn’t ask for it, don’t click it and we’ll talk again next week.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply