HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 10 – The Cost of a Ransomware Attack & Security Risk Assessment

By December 27, 2019 No Comments
What is the Cost of a Ransomware Attack and What is a Security Risk Assessment anyway FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus What is the Cost of a Ransomware Attack and What is a Security Risk Assessment anyway? 

This is Episode TEN!  Where’s the Music?

Intro

Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

Patch Tuesday Update:

No new patches released for December.  Below is the list for patches for December as reported in previous episodes:

Firefox 71

Chrome 79.0.3945.88

Apple and iOS

https://www.bleepingcomputer.com/news/microsoft/microsofts-december-2019-patch-tuesday-fixes-win32k-zero-day-36-flaws/

https://threatpost.com/adobe-fixes-critical-acrobat-photoshop-brackets-flaws/150970/

Drupal Should be Updated to address critical vulnerabilities.  Latest release Drupal 7.69, 8.7.11, or 8.8.1 to prevent remote hackers from compromising web servers.

WordPress plugin 301 Redirects – Easy Redirect Manager to 3.45

 

Question Sent In – Does a solo practitioner who does not accept insurance need to provide a NPP and are the subject to HIPAA regulations?

 

Cyber Security News

A note from the FBI re: LockerGoga and MegaCortex

“Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga.”

 

  • Have a BCDR plan.  Backup regularly. Test Backups and Keep a backup offline
  • Ensure all software and operating systems are up to date
  • Enable 2FA and have a strong password policy
  • Disable RDP wherever it is not needed.  Ensure RDP ports are blocked externally.  Use RDP over VPN. Use third party software to further secure RDP
  • Audit the creation of new accounts.
  • Run port scans to ensure unneeded ports are closed and nothing is listening that shouldn’t be listening..
  • Disable SMBv1 
  • Monitor AD for access levels, account changes and new accounts
  • Make sure you are using the most up-to-date PowerShell and uninstall any older versions.
  • “Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell”

OCR Issues Guidance on Targeted Ransomware 

Critical Citrix Bug Puts 80,000 Corporate LANs at Risk

New Magellan 2.0 SQLite Vulnerabilities Affect Many Programs

Windows 10 2004 Under Development, Here Are the New Features

Hot Topics

Topic 1:  https://www.theverge.com/2019/10/28/20936541/facebook-preventative-health-cancer-heart-disease-flu-tool

Topic 2:  Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas

Topic 3:  https://www.webpt.com/blog/post/5-things-small-practices-need-to-know-about-hipaa

HIPAA Corner: The Security Risk Assessment

https://www.hipaajournal.com/hipaa-risk-assessment/

https://www.youtube.com/watch?v=VxqJ-2KCCyk

 

Should be done at a minimum at least once every 12 months.  Should also be done if there are changes (new people, equipment, etc..).

  • Administrative
  • Physical
  • Technical

6 Most Common Causes for Breaches

  • Snooping
  • Negligence
  • Human Error
  • Intentional Targeting (Hacking/Ransomware)
  • Unintentional Targeting (Phishing)
  • Identity Theft

HIPAA Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

What is the Cost of a Ransomware Attack and What is a Security Risk Assessment anyway PIN

Transcription (Unedited)

This is the ProactiveIT podcast this week and what is the security risk assessment anyway episodes hi everyone and welcome to cry cuz I T podcast each week to talk about the latest in Tech and Cyber News compliance and more we also bring your real world examples to learn from so you can better protect your business and identity this podcast is brought to you by the West take a client focused and security-minded it consultant located in Central Connecticut you can find us and watch check.com does NWA jtech. Com why we kick off every episode with Patch Tuesday update good news there’s no Patch Tuesday update this week it is the end of December the end of 2019 no new patches to report if you miss previous episode then you missed all the patches that did occur this month there were quite a few for all major operating systems in a lot of software so go check out episode 8 and 9 to learn about what pageant in and get those patches updated this week of introducing it’s not really a new segment of something I’ve wanted to do but haven’t haven’t I haven’t had an opportunity but I’m I do today so we had a question sentence in regarding HIPAA does a solo practitioner who does not accept Insurance need to provide a MPP which is a notice of privacy practices and are they subject to HIPAA regulations so that was a question on the problem is there’s not enough information in this question 2 to fully answer it but here’s what I will tell you if you do anything as far as if you are working on a laptop and then you transmit files to a record-keeping system in the cloud than you are now required to follow up with practices if you if you store documents in the cloud you are required to follow HIPAA if send an email to anybody that includes any type of potential Phi you are required to follow HIPAA they do say that they do not accept insurance so it’s all private pay any of the client pays so if the client is paying there probably isn’t a credit or debit card so you are also obligated to follow PCI compliance we haven’t talked much about me seeing this on this podcast but we will eventually but PCI is a payment card industry set of compliance rules so that if you’re storing payment information you need to file those those rules there’s not enough information in in the question to to completely answer that question I would err on the side of caution the OCR website HHS website has and I’ll try to find it and included in the show notes but they have our of a way for you to determine whether or not you need to follow HIPAA and quite a few people I would say air on the side of caution because in today’s with today’s technology and potential for a breach and and things like that HIPAA violation could probably put them out of business so I would err on the side of caution providing MPP it’s really not complicated or what and if you work with any other vendors would you have no I don’t know it didn’t say what kind of solo practitioner they are but if you have a billing and coding Specialists or you know an accountant or a bookkeeper or somebody who might see your or it so am I seeing you or your Phi then you absolutely need to have hip and place the one thing they did ask is if they would be a covered entity and that questionnaire would help them I again would err on the side of caution and say yes HIPAA practice hippo if I should actually be a little bit easier for a solo practitioner cuz you’re in more control but speak to a consultant and find out whether or not it is relevant to your business without more information I wouldn’t be able to answer that completely but that that would be my feedback and I shared that feedback already with the person to ask a question and they seem to be satisfied with my answers so we’re going to we’re going to leave it at that all right as we expected it wasn’t a light Newsweek for cybersecurity giving it was the Christmas holiday we have a few things will show today first up a note from the FBI regarding Locker cortex so since January 2019 black or gold or ransomware has Target of large corporations and organizations in the United States United Kingdom France Norway and Netherlands identified in May 2018 exhibit indicators of compromise command-and-control Center infrastructure and targeting similar to Walker Cobra I’m so these are both ransomware variants and they’ve issued some some tips to protect yourself mitigate the risk again there’s never a one-hundred-percent foolproof plan however there are steps you can take to reduce the risk significantly in these are very similar to any other ransomware so I’m going to go through the list quickly quickly first of all have a backup backup and Disaster Recovery plan backup regularly test backups and keep the backup offline and show all software and operating systems are up-to-date enable two-factor authentication authentication and have a strong password policy I’m going to stress that for a moment because I did report on yesterday’s Daily Show that so I’ll try and there’s a Chinese hacking group AT&T 20 that has hacked application and I say that because no nothing is foolproof however if you have two-factor authentication and strong password policy then you’re even more so you know having two Factor authentication is kind of pointless if your password is 1 2 3 4 5 6 have a strong password policy uppercase lowercase and special characters and the longer the better and that will help protect you against the potential compromises disable remote desktop protocol wherever it is not needed in Sherwood remote desktop Protocols are blocked remote desktop protocol over VPN or use 3rd and or use third-party software the further secure remote desktop protocol so you should be monitoring for etcetera run pork skins to ensure I need the ports are closed and nothing is it listening that shouldn’t be listening disable smbv1 record that was the attack Vector for want to cry monitor active directory for access. Was account changes in new accounts make sure you are using the most up-to-date Powershell on it uninstall any older versions and enable Powershell unusual commands especially execution of base64 encoding PowerShot now you should be loading everything so login logout account Creations errors to hard drive errors storage discovered they were being attacked until they ran out of storage and then realized something was wrong so storage space and then logged in track somebody should be keeping an eye on those should be alert set up in when you reach a certain threshold so that it can be addressed in a timely manner that’s going to that’s the tips the FBI has released nothing really new there but it’s a good reminder what’s your issues guidance on targeted ransomware this was on HIPAA secure now also partner of Norwich Tech so we are all affected by diet cybersecurity pay attention to health of your business depends on it so this is really it is directed at any business wear whatever you found the food chain in the healthcare industry cybersecurity needs to be at the Forefront of your mind that might mean you are a small doctor’s office with a few patients a large Hospital a technology company that supports Healthcare clients were many things in between its Health Care is part of your success you are Target too high this goes beyond hope that your world of clients needs to extend outside of making sure that you’ll fall into line when it comes to hit the rules and regulations those changes will assist you should a breach of her and weaknesses in your business structure but HIPAA compliance does not mean you are protected from a cyberattack the office for civil rights recently-released insight into the threats medication message in the news other letter. Besides this further recognizing that ransomware attacks have not been on the downslope for some sectors the healthcare industry remains a constant increasing Target reason for this may be because patient information is needed on a regular and ongoing basis thereby making the likelihood of Demands being that quicker more likely not to mention the teen about individuals in the healthcare breach in healthcare tends to be lacking when it comes to update equipment and processes making them an easy target to hack Kim an area large environments is more likely in snowy environments feel less threatened mistakenly assuming that their businesses do not hold valuable data any. It is valuable today and that is very true or businesses of all sizes are a potential victim these attacks are not as a media and it obvious as they once were and they are much more Taylor to Target their victims that have been found to get back into systems to read summer off and going undetected for a while also remains an easy entry point via unsuspecting or untrained employees big big the hacker can remain within a system for enough time to assess the structure and hit where it will hurt it business the hardest what’s your recognizes that having a solid have a player can help prevent mitigate and recovery business if it isn’t place in monitor on an ongoing basis this means that is a business office administrator it provider Center you need to ensure that you were regularly monitoring us are regularly maintained both of us cybersecurity and if the compliance program like onion good doctor will tell you an ounce of prevention can go a long way so that was on that was on episode curnow’s website on their blog by our gross or go check that out they recommendations are spot-on you cannot take any threat lightly no matter the size of your practice and then we just talked about a solo practitioner so any practice of any size is a potential victim and I don’t care what size businesses they assume that large businesses will pay quicker but there you know we’ve seen time and time again with the larger businesses can’t pay and are forced out of business sometimes being a small business makes it more appealing to the hackers in again I’m using that term hackers it’s really attackers hackers is not a good term hackers in general can be good or bad next up on threat posed to says reported across multiple platforms but I mean from threatpost there is a critical to treat bug that put 80,000 corporate lands at risk so I talked about this earlier this week on The cybersecurity Daily digital workspace and Enterprise networks vendor Citrix has an ounce of critical vulnerability in a Citrix application delivery controller ADC for short and Citrix Gateway with exploded it could allow unauthorized remote access to a company’s local network and Terry arbitrary code execution the Citrus products Formerly Known only the necessary to see in Gateway are used for application where traffic management and secure remote access respectively at all and are installed in at least 80,000 company is in 150 countries according to McKayla acquired kick-off a researcher A+ technology the US accounts for about 30% of all Noble organization so it so it doesn’t that’s a lot of businesses this attack does not require access to any accounts and therefore can be performed by any external attacker a noted in research released on Tuesday this one rebuild it allows any unauthorised attacker to not only access published locations Brussels attack other resources of the company’s internal network from the Citrix server while neither Citrus nor positive Technologies release technical details on the bug which is CME 2019 – 1971 they said it affects all supported versions of the product and also supported platforms including Gateway 13.6 netscaler Gateway 12.16 ATC and netscaler Gateway 12 Citrix ATC netscaler Gateway 1121 and also Citrix netscaler agency in a skillet Gateway 10.5 according to the research Citrix applications are using corporate networks set director of security audit Department apposite Technologies in the statement this includes the use for providing terminal access of employees to internal Company applications from any device via the Internet considered a high-risk drop body discovered vulnerability and how widespread Sixers Play software update according to the researchers and there’s a lake dock to the Citrix list of mitigation steps on this Mission says Talon configuration change service communication to the aforementioned vulnerability for stand-alone system there’s some commands you can run and and I’m sure that the change that take place on primary again are some commands you can run it looks like it’s a lot of commands so you’re going to want to go to that article from on the 6th website to sports Districts website and updated as necessary security news earlier this year when cyber attackers use password spraying techniques to make off with 6 terabytes of internal documents and other data so they probably use that information to compromise Citrus further this year the attackers are intermittent infrastructure between October 13th 2018 and March 8th 2019 the countryside and the crooks principal stole business documents and files from company shared network drive that has been used to start current and historical business documents as well as Drive associated with associated with what base to use in our Consulting practice so it doesn’t really leave a warm and fuzzy feeling what’s the trickster and I know Citrix is why the years I work tonight the last I wasted the last real job I had the last real job I had we did have a citrus environment and I I was I know how widely used it is so interested in that particular company used it across multiple countries so it’s a big one or billion if your if your music if you have Citrix environment make sure you take care of it and updated and and mitigate the risk right on bleeping computer new Magellan 2.0 sequel affect many programs I reported this this morning on our daily show as well so she could light is used in a lot of software packages and operating systems including Google Chrome Mozilla Firefox on Windows 10 with had heard about some no Google Chrome Google Chrome there was an updated to mitigate that risk I believe last week take me to a place to Google, this month so one of those updates address this also affects Mozilla Firefox Windows 10 I don’t believe Windows 10 was passed for SQL Lite 2.0 or sequel light in the last Patch Tuesday so we’ll look for that in in January Firefox that don’t believe his updated either so we’ll wait to see but we’re Google Chrome and wasn’t update so if you have not updating Google Chrome to latest version you’re going to want to do that they can they remove the tiger can use the photo to compromise a computer that is through Google Chrome not a I’m not sure what the amount was in the Sunni attacked is the same across the other software and so once again case for this you have software updates available then apply those updates find me update the computer so that I just want to talk about so Windows 10 2004 is than the latest movie latest feature update that will come out in the spring of 2020 and it has a bunch of improvements and not really going to go through all the improvements cuz there are a lot of them if you want to read more about that it’s it will be on bleeping computer., and will be in the show notes to link will be there are some of the cool things I will tell you is that it is added it is upgrading task manager so that you can monitor a little more if you don’t use any remote monitoring tools just going to going to include password list experience some of you may already be using this depending on what you have for a device so instead of password you can use fingerprint or attend or Windows hello experience I don’t use Cortana always disable Cortana but there will be a new court on experience and so there’s a network status page is going to be a little bit different there is but there is a bunch of new feature updates coming in the spring of 2024 Windows 10 users so be on the lookout for that hopefully it’ll break anything let’s move on to our hot topics for the week I said it was a holiday week so there’s not a lot to report or talk about when did not add a new blog post to enlarge text cite this week will try to get one of next week but I did find an interesting article on the verge of Facebook’s new preventive helped with pushes people to advocate for their health and this was actually posted back in October I’m not sure how I missed it until now I don’t really read The Verge so that might have something to do with it and I haven’t seen this. I think it is something you need to opt into but starting October 28th Facebook will let users choose to get personalized reminders about health care test in vaccines the company’s new preventive Health to focus on getting people information about cancer screenings heart check-ups and flu vaccines or I’ll measure that could help hopefully help people catch deadly conditions long before they become lethal the tools of the cultivated of housing is not available Facebook users in the United States it takes years of age and sex from their Facebook profile which is maybe why I don’t have it available to me cuz I didn’t put my birthday on Facebook and it’s a whole nother topic by the way provides them with a list of recommended screenings based on those two data points so let’s say you’re 52 years old Freddy I’m nosey Facebook’s head of healthcare research tells a bird I mean the fact that Facebook has a healthcare research Department that that I don’t know that’s a little scary to me that’s single overboard for Facebook too so I would know I would say this might be a cause for concern and where does that leave them in the hippo Realm one of the things that will come to you based on your American Cancer society’s recommendation is that you should have a cold colorectal cancer screening at Lucy says that the app would then give you more information about what kinds of tests are available from a colonoscopy to a STAR test or CT scan hopes that users were then take what they learned and talk to their primary care physician about what would be best for them so it doesn’t sound like they’re actually collecting information they’re just using your birthday and and gender to say and you need to go do this this marks Facebook second venture to husband at Windsor and other effort promoting local blood drives launch the United States in June after debuting an Indian 2017 overall both of these two girls make a far more simple entry into the house based in other Tech Giants have made Amazon is beginning into online pharmacies and electronic health records show it Amazon has sold another can of worms for themselves to Apples monitoring in which there is an act in legislation Now call regarding that so it’s not just a Palouse new Fitbit there and I have a Samsung watch that does the same thing in contrast Facebook Facebook play Centuries basically enhanced reference pages from official website smash together with a calendar reminder to tell the Triple Rock demographics instead of individual so I guess that’s not really Phi I just wonder why they’re even getting into the healthcare administrative Facebook One-Stop platform on the Internet is there they try to get a new AOL I guess where they just is this entry into something in the future so it’s interesting to me that they have want anything to do with health care at all you know giving violated the HIPAA breach for some reason and I think at this point the answer for that matter but it doesn’t sound like I mentioned that I don’t keep my birthday on Facebook and I know the most people to want that for potential attackers social engineering to occur if your phone number and I seen still a lot of council phone number and email address is on your birthday and then maybe where you live at this is enough information to do some social engineering do some digging around 9 today so you know end of 2019 I know the information and privacy has is is almost non-existent at this point however let’s let’s not make it easier for the social Engineers of the world that hackers of the dad at hackers of the world to take advantage that information so I do not keep my birthday on Facebook here’s a an article that I found Bob actually shared it on Facebook with them in ransomware attack forces Arkansas CO2 fire 300 employees days before Christmas now there are two sides to this, but I’ll get it to the store first so that CEO of a telemarketing company in Sherwood Arkansas as let go 300 plays after the company failed to recover from a ransomware infection once. They deeply apologetic letter to employees the Heritage company CEOs Sandra for Nikki said two months ago the servers were attacked by hackers who demanded a ransom to unlock the system’s despite pain or attackers what did the struggle to get back on its feet the company decided to close shop and let everyone go and so the local news station down in Arkansas to a letter the letter that was written to a new place so the local news station is K TV and then the letter is here I’m not going to read the letter but the letter does sound like you know it sounds very sincere and heartfelt so that I’m going to continue from after interview to the employer said let your employees know something give them a chance to make our own lives in your own hands and a school play God with everybody’s life so just so you know something happened two months ago and why are you waiting until right before Christmas to tell everybody is well and shut down for Christmas save a few dollars I don’t know this is not the first time ransomware shutters a business United States this year Brookside Auntie your nose and throat and hearing center a doctor’s office in Battle Creek Michigan was forced to close its doors after hackers infected is compromising everything for patient records 2 billion formation on like the Heritage company books identity did not pay the rest would likely figured it’s it would have the same outcome anyway and I did report on that earlier this year star and many others reported in the past your loan underscore the dire need to protect any business big or small from ransomware so here’s where it is where I have a problem so sad for the 300 employees and apparently the letter it says that the guy to still working to try to fix the issue 2 months later a week why not just wait to drive white and and install Clean cuz it Doesn’t obviously they didn’t have backups so that’s where I’m going to go with this you have 200 employees what is the it in this in this business I mean I should be backups you should get website backups of anything is critical it should you should have medication steps you know how did the red somewhere get in we don’t know it doesn’t say my guess would be a phishing attack so did we train our employees efficient do we have any fish place it on 90% of all start with a phishing attack so is that what happened here it sounds like maybe it did and we know from Dire Straits where talks you don’t pay the rent somewhere because there’s no guarantee they’re going to give you give you your your files never look there’s no guarantee they’re going to decrypt anyting and the weird part so they gave away seven cruises the week before they let everybody off I don’t know if you know they say they pay for this in July but I would imagine it could have and he’s gotten so many back for those Cruisers and pay two it may be paid for third-party to come in and resolve the issue and it is salt there’s definitely some poor planning going on here the other reason I’m sharing this is it does it does show the potential Devastation that a ransomware attack can have so 300 employees fired not really fired laid off right before Christmas now given the circumstances is there going to be a possible for unemployment I would assume but the devastation this is going to have a 300 families right before Christmas and it’s I mean I don’t know how you going to put that into words you can’t and so this is the this is what we’re playing with people’s livelihood when we’re not addressing the ransom where can I read somewhere that is occurring right now there is ransomware is not specific to any industry I know I talk a lot about health care but is not specific tanning industry they are opportunists they will take whatever they can take as you can see those Ransom was paid they will talk whatever they can attack if you leave one little hole open they’re going to try to exploit that hole and you need to ensure that your business for your livelihood and for those of your employees that you’re protecting everything and so I read earlier in this podcast I went through a list of things that you can do to mitigate the potential potential ransomware attack and then some education and get all your you’re playing with people’s lives when you don’t address the concern it wouldn’t leave the front door open and always miss your area if you live in an area where crime does exist you would not need a front door open when you’re leaving the front door of your business open if you’re not doing anything to mitigate the risk I feel a lot better how about this had I cheat on what they were supposed to do and you can tell they did it because it would be able to restore from backup if they did I’m going to get off my soapbox now let’s move along, switches on the question that I asked earlier about saw solo practitioner and HIPAA and MP requirements five things small practices need to know about HIPAA this is on web PT this blog post doesn’t have a date on it which is actually Nico technique but I don’t see a date so I’m not sure when it was written but it’s relevant so let’s go through the list here at five things that that’s all small practices need to know about HIPAA the first you can only become a covered entity by the performing a cover change the transaction that’s it that’s what I touched on earlier do you electronically transmitted patient information related to cover transactions covered transactions generally include the electronic transmission of claims so if you don’t have insurance then you don’t have to worry about it but if you’re transmitting files electronically to anywhere else then you do and then they don’t really care to hhs’s online tool evaluate your status of soil or covered entity was required to comply with HIPAA but you’re not a covered entity you can stop worrying you can’t accidentally become a covered entity unless in a covered transaction using email make you a covered entity even if you don’t do it, but that’s not true because you can find by HIPAA for having Phi any know if you’re not a kerensky for your intake forms reference Cutthroat does that I would get you because you’re as a member that there’s only one way for two within the scope of HIPAA performing a covered transaction one caveat if you tell your patients that you comply with HIPAA requirements you should do so just doesn’t mean that you can come and get the covered entity or simply means that you should subject yourself to hipaa’s privacy and security requirements because you promised your patience you would do so for example if you’re not a covered entity but your notice of privacy practices since that you knew only HIPAA compliant email software than you could use it the complaint also requires it but because you said you would you must have written privacy policies Is a Mess by the way for the reserve things you need to know about what HIPAA compliance audits are many providers greatest fear but they’re absolutely something for which has explained here and there’s a link to another blog post on the HHS gov site every covered entities and business associate is eligible for an audit audit can beer and a more targeted now at this point on its 10 to be after a breach or after some gross negligence every color rescue business associate is it eligible for an audit audit can deer and a more targeted I just said that the policies and procedures adopted and business associates to meet selected standards and implementation specifications for the privacy and security breach notification rules don’t have any such policies than if it requires that all covered entities maintain written privacy policies and procedures has three main components to a government Regulators are more familiar to maintain adequate policies and procedures is one of the biggest reasons that practices are fried how many you being a good while privacy policies are required they’re not a mere formality in fact they come with some pretty good benefits including providing you with accessible answers to how should I discipline my patients private information out of PT Pub night I’m just going to hit the policies don’t typically address to specific situation but they would give you enough guidance to problem solve it yourself how long should I retain patient record how complex does my WebKinz password need to be members of my clinic Sherry a single computer login what do I do with an old laptop can I use a Wi-Fi at Starbucks and by the way that last the laptop should be disposed of properly and do not use the wi-fi at Starbucks number three required risk assessment will help you tailor HIPAA compliance safeguards to practice needs and that’s incredibly true we’re going to talk about the HIPAA security risk assessment and a moment if it isn’t one-size-fits-all I’m so when you run a security risk assessment you looking for areas of opportunity is essentially and it is requirement once a year or if there’s any changes so let me let me do that when we get to that portion of the podcast but it is requirement at least once a year for without written policy simply just giving a notice of privacy practices document to Patient doesn’t make you at the complaint also true you have a lot to do to become HIPAA compliant in just Distributing Des MPP isn’t enough it’s not even close to enough if I lean up at number five you must have hip agreements with anyone who handles your page information this is extremely turn out or we talked about this last week and it had the education portion of the of the podcast you if you have business associates and a business associate has a subcontractor and it just goes everybody needs to be hipaa-compliant you need a business associate agreement for everybody who is potentially in contact with your Phi there are some practices that will go so far as to give require a business associate agreement for every every vendor that they interact with if you don’t answer that say you have an MSP managing your network of computers and so forth and they threw them you have Office 365 then you should have a business day should have there are Office 365 is the vendor for the IT company they need a business associate agreement from profit from Microsoft and you need a business associate agreement from CIT vendor and that’s how it works you have to have a fan if it’s not a place you’re you’re not complying with HIPAA and you’re putting your your practice at risk being fined at the very least and what we’re saying is that right now where where people that are impacted by that the pictures are also being sued so not really something you want to play with you going to want to sure that you have business associate agreements in place before you begin working with any better alright let’s look at the HIPAA breach notification for the week again not a lot to report cuz it is a holiday week I would imagine next week will be the same but here’s what we have so December 26th in New Mexico hospital just goes malware on and imaging server so they found out we’re on a run radiological Imaging server that had around 500 patients information on malware infection was discovered in November 14th I’m so just over a month for them to to disclose so good job they’re prompt action was taken to isolate the cervix prevent further unauthorised access and then of course they updated the machine to make sure that there were no more about these on the machine so all around this is at Roosevelt General Hospital in Portales New Mexico by the way call Ron wasn’t so I would say it was a good job by the it at New Mexico hospital I’m sorry sir General Hospital in Port Alice Roosevelt General Hospital they recover quickly that isolated and a report to quickly solved on December 24th Christmas Eve we have to the state of Colorado is no to find 12234 mistletoe disclosure of some of the information as a result of a male you are essentially has sent $10,879 to reapply forms with the wrong information out incorrect individuals 12213 individuals have been incorrectly included on those that don’t believe that Phi what is this girl’s butt temperature be on the safe side they are notifying and provide a credit monitoring services for 12 months Sinai Health System phishing attack reported chicago-based Sinai health system as it’s go to the email accounts of two of its employees have been compromised as a result of responses to phishing emails no information has been disclosed about the date of the attack and when it was discovered by Sinai health system has reported a third-party computer forensics experts to turn it on October 16th 2019 at the compromise the child’s container Phi which was potentially access by the attackers so illegal one more time with h i n e mail and no lack of fishing mitigation including multi-factor authentication they do believe that 12578 records were involved and see if there’s anything else for the switch well that’s it it’s just the three this week so I’m quite week for HIPAA breaches to all right time for us to education peace as I mentioned earlier this is we’re going to talk about the security risk assessment today what will quick notes about it first of all the hit the risk assessment should be done at a minimum of at least once every 12 months but it should be done if there’s any changes made in Wisconsin employees especially upper level management changes new equipment in the Department’s anything like that but also should be done if the first assessment uncovered something that needs to be addressed and your dress that thing you should do another one to make sure and it should be done until everything is addressed essentially show that the ship is ongoing but I don’t minimum of every 12 months but that’s required by the OCR it covers three areas administrative physical and Technical so I know it sounds like it should be a security risk it should be just technical maybe physical but it’s it’s an interest rate of physical and technically been in the most common causes for beaches and snooping negligence human error intentional targeting through hacking ransomware fishing also fishing so spear phishing mean they were seeking out at Target only texting is there just hoping there’s somebody does something and then identity theft so what is required for a history of risk assessment I’ll learn how to talk today at the risk assessment for requirement for covered entities to conduct a HIPAA risk assessment is not a new provision of health insurance portability accountability act requirement was first introduced in 2003 in the original HIPAA Privacy Rule is subsequently send it to cover the administrative physical and Technical safeguards of hipaa’s security rule 2013 the final Omnibus updated the HIPAA security rule of the hitech act the new regulations further extended the requirement to get back to HIPAA risk assessment two business associates and also increase the amount of a covered entity they covered entity or business associates could be fine for non-compliance with the regulation levels based on what HHS determines you are culpable soy sauce if it seems as though it’s unintentional the fines are less if it’s unintentional and if it completely negligent and repeated repeated failures than your fines are going to be a lot more severe Dakota to conduct a HIPAA risk assessment can be costly by the way I’m reading this on HIPAA djournal.com in a reason to music at the journal stead of HHS so it’s easier to understand because you’re not using a lot of the legal term terminology by the charity for fines for non-compliance with hit that has historically depending on the number of patients affected by breed protected health information and the level of negligence of all to fines are now issued in the lowest did not know HIPPA violation category because there is little excuse for not knowing that organizations have it on his claim ignorance anymore if you’re on a highway in the speed limit is 55 and you doing 85 when you get pulled over you can’t claim you didn’t know more recently the majority of the fines have been under the willful neglect HIPAA violation category organizations knew or should have known they had responsibility to safeguard their patient personal information included clean the record 5.5 million dollar Financial Against The Advocate Health Care Network are attributable to organizations failing to identify where to the Integrity of Phi existed however since the start of the second round of Hit the audits Vines have also been issued for potential reaches a Phi these are worth laws and regulations security have not been covered by HIPAA risk assessment or where no man has been conducted so when they come in they’re going to ask you for proof of those risk assessments and if you don’t have them or you know it’s just the checklist and you didn’t do it I didn’t do it and with that being said it is you also when when HHS comes into audit they may provide technical information they may say here’s what you need to do to resolve this issue go fix it and then come back and check to make sure you did fix it and if you didn’t fix it then they were going to find you even more so keep that in mind before you just say Okay weather out of our hair cuz you’re not out of your hair it’s not just large medical organizations in fireline and it’s not just medical organizations in firing so another it’s not just a large Hospital networks it’s every practice no matter the size you can be a three-person practice with 10000 records and you’re still in which is considered a small practice you’re still at your still potentially going to be audited especially it just takes one complaint one person to say hey my information was was giving out incorrectly to someone or him or it could be as simple as they ask for their medical records and you didn’t provide it within a certain amount of time and they got fed up and call and it’s not just medical organizations in the firing line either it’s it’s MSP is like like the one I wanted to see if it’s any business associate accounting professionals any business. Uphi is also required to have a risk assessment in place okay so what should I hit the risk assessment consist of US Department of Health and Human Services acknowledges that there is no specific risk analysis methodology this is due to covered entities and business associates very significant capabilities Harbor HS. Provide an objective of Hit the risk assessment. Identify potential risks and vulnerabilities to the confidentiality availability and beauty of all Phi that an organization creates receives maintains or transmits in order to achieve these objectives dhshs an organization should identify identify document potential threats and vulnerabilities security measures used to determine the likelihood of a reasonably anticipated threat determine the potential impact of a breach of Phi to sign risk levels for vulnerability and impact combinations document the assessment and take action where necessary risk assessment is not a one-time exercise assessments should be reviewed periodically and as new work practices are implemented to order a new technologies introduced it just does not provide guidance on the other than to suggest that you may be conducted annually they may be conducted annually depending on an organization circumstances do it at least once a year do the requirements of business associate to conduct risk assessments being introduced in an amendment to the HIPAA security rule many career to choose a business associates Overlook their nessus necessity to collect the HIPAA privacy risk assessment HIPAA privacy risk is equally as important as a security risk but can be much larger undertaking depending on the size of the organization in nature of his business so that’s separate from the security risk assessment does a primary privacy risk assessment and finally there is a tool on hhshs his website that will help you conduct a security risk assessment recently downloaded its Windows only but you download it installed on Windows and run it ask you a bunch of questions you fill in the answers and your kind of like a checklist but however it shouldn’t be treated as a checklist so if you find if you find areas of own abilities you need to address them whatever it might be whether it’s the front desk receptionist doesn’t lock your computer or we’re not using touching medication at all we have an educated or staff on fishing or you haven’t patched a Windows server that storing Phi Phi because it could be a Gateway into your network these are these are all potential things that need to be addressed you know I’ve seen a once walked to a clinic where they had a quick one at the front window where you were supposed to write your name and why you were there but they know that’s a violation so it could be as simple as that I guess you don’t have an area we can have a conversation with your patient we’re not everybody else is going to hear it that’s a violation you know that’s a that’s a risk because Phi could potentially be exposed and by the way I see that a lot I said a lot of pharmacies so that in pharmacies are supposed to be covered under HIPAA so you know you’re going to want to you don’t want to look at those things and address them as they come up that is going to do it for this episode of IT podcast is a little bit shorter this week because not allowed to report I hope that the education piece or any other bit of information you found in this podcast as helpful as always come check out our website and watch Tech. Comments in wa jtech. Com with lots of information blog post this podcast has hosted it that’s all the daily podcast that is not hosted their go check that out it’s it’s on a bunch of platforms I recorded on anchor so check that out in until next Friday 8 how everybody have a good New Year and I will talk to everybody next year and next decade 

Sobriety podcast this week and what is the security risk assessment anyway episodes hi everyone and welcome to cry cuz I T podcast each week to talk about the latest in Tech and Cyber News compliance and more we also bring your real world examples to learn from so you can better protect your business and identity this podcast is brought to you by the West take a client focused and security-minded it consultant located in Central Connecticut you can find us and watch check.com does NWA jtech. Com why we kick off every episode with Patch Tuesday update good news there’s no Patch Tuesday update this week it is the end of December the end of 2019 no new patches to report if you miss previous episode then you missed all the patches that did occur this month there were quite a few for all major operating systems in a lot of software so go check out episode 8 and 9 to learn about what pageant in and get those patches updated this week of introducing it’s not really a new segment of something I’ve wanted to do but haven’t haven’t I haven’t had an opportunity but I’m I do today so we had a question sentence in regarding HIPAA does a solo practitioner who does not accept Insurance need to provide a MPP which is a notice of privacy practices and are they subject to HIPAA regulations so that was a question on the problem is there’s not enough information in this question 2 to fully answer it but here’s what I will tell you if you do anything as far as if you are working on a laptop and then you transmit files to a record-keeping system in the cloud than you are now required to follow up with practices if you if you store documents in the cloud you are required to follow HIPAA if send an email to anybody that includes any type of potential Phi you are required to follow HIPAA they do say that they do not accept insurance so it’s all private pay any of the client pays so if the client is paying there probably isn’t a credit or debit card so you are also obligated to follow PCI compliance we haven’t talked much about me seeing this on this podcast but we will eventually but PCI is a payment card industry set of compliance rules so that if you’re storing payment information you need to file those those rules there’s not enough information in in the question to to completely answer that question I would err on the side of caution the OCR website HHS website has and I’ll try to find it and included in the show notes but they have our of a way for you to determine whether or not you need to follow HIPAA and quite a few people I would say air on the side of caution because in today’s with today’s technology and potential for a breach and and things like that HIPAA violation could probably put them out of business so I would err on the side of caution providing MPP it’s really not complicated or what and if you work with any other vendors would you have no I don’t know it didn’t say what kind of solo practitioner they are but if you have a billing and coding Specialists or you know an accountant or a bookkeeper or somebody who might see your or it so am I seeing you or your Phi then you absolutely need to have hip and place the one thing they did ask is if they would be a covered entity and that questionnaire would help them I again would err on the side of caution and say yes HIPAA practice hippo if I should actually be a little bit easier for a solo practitioner cuz you’re in more control but speak to a consultant and find out whether or not it is relevant to your business without more information I wouldn’t be able to answer that completely but that that would be my feedback and I shared that feedback already with the person to ask a question and they seem to be satisfied with my answers so we’re going to we’re going to leave it at that all right as we expected it wasn’t a light Newsweek for cybersecurity giving it was the Christmas holiday we have a few things will show today first up a note from the FBI regarding Locker cortex so since January 2019 black or gold or ransomware has Target of large corporations and organizations in the United States United Kingdom France Norway and Netherlands identified in May 2018 exhibit indicators of compromise command-and-control Center infrastructure and targeting similar to Walker Cobra I’m so these are both ransomware variants and they’ve issued some some tips to protect yourself mitigate the risk again there’s never a one-hundred-percent foolproof plan however there are steps you can take to reduce the risk significantly in these are very similar to any other ransomware so I’m going to go through the list quickly quickly first of all have a backup backup and Disaster Recovery plan backup regularly test backups and keep the backup offline and show all software and operating systems are up-to-date enable two-factor authentication authentication and have a strong password policy I’m going to stress that for a moment because I did report on yesterday’s Daily Show that so I’ll try and there’s a Chinese hacking group AT&T 20 that has hacked application and I say that because no nothing is foolproof however if you have two-factor authentication and strong password policy then you’re even more so you know having two Factor authentication is kind of pointless if your password is 1 2 3 4 5 6 have a strong password policy uppercase lowercase and special characters and the longer the better and that will help protect you against the potential compromises disable remote desktop protocol wherever it is not needed in Sherwood remote desktop Protocols are blocked remote desktop protocol over VPN or use 3rd and or use third-party software the further secure remote desktop protocol so you should be monitoring for etcetera run pork skins to ensure I need the ports are closed and nothing is it listening that shouldn’t be listening disable smbv1 record that was the attack Vector for want to cry monitor active directory for access. Was account changes in new accounts make sure you are using the most up-to-date Powershell on it uninstall any older versions and enable Powershell unusual commands especially execution of base64 encoding PowerShot now you should be loading everything so login logout account Creations errors to hard drive errors storage discovered they were being attacked until they ran out of storage and then realized something was wrong so storage space and then logged in track somebody should be keeping an eye on those should be alert set up in when you reach a certain threshold so that it can be addressed in a timely manner that’s going to that’s the tips the FBI has released nothing really new there but it’s a good reminder what’s your issues guidance on targeted ransomware this was on HIPAA secure now also partner of Norwich Tech so we are all affected by diet cybersecurity pay attention to health of your business depends on it so this is really it is directed at any business wear whatever you found the food chain in the healthcare industry cybersecurity needs to be at the Forefront of your mind that might mean you are a small doctor’s office with a few patients a large Hospital a technology company that supports Healthcare clients were many things in between its Health Care is part of your success you are Target too high this goes beyond hope that your world of clients needs to extend outside of making sure that you’ll fall into line when it comes to hit the rules and regulations those changes will assist you should a breach of her and weaknesses in your business structure but HIPAA compliance does not mean you are protected from a cyberattack the office for civil rights recently-released insight into the threats medication message in the news other letter. Besides this further recognizing that ransomware attacks have not been on the downslope for some sectors the healthcare industry remains a constant increasing Target reason for this may be because patient information is needed on a regular and ongoing basis thereby making the likelihood of Demands being that quicker more likely not to mention the teen about individuals in the healthcare breach in healthcare tends to be lacking when it comes to update equipment and processes making them an easy target to hack Kim an area large environments is more likely in snowy environments feel less threatened mistakenly assuming that their businesses do not hold valuable data any. It is valuable today and that is very true or businesses of all sizes are a potential victim these attacks are not as a media and it obvious as they once were and they are much more Taylor to Target their victims that have been found to get back into systems to read summer off and going undetected for a while also remains an easy entry point via unsuspecting or untrained employees big big the hacker can remain within a system for enough time to assess the structure and hit where it will hurt it business the hardest what’s your recognizes that having a solid have a player can help prevent mitigate and recovery business if it isn’t place in monitor on an ongoing basis this means that is a business office administrator it provider Center you need to ensure that you were regularly monitoring us are regularly maintained both of us cybersecurity and if the compliance program like onion good doctor will tell you an ounce of prevention can go a long way so that was on that was on episode curnow’s website on their blog by our gross or go check that out they recommendations are spot-on you cannot take any threat lightly no matter the size of your practice and then we just talked about a solo practitioner so any practice of any size is a potential victim and I don’t care what size businesses they assume that large businesses will pay quicker but there you know we’ve seen time and time again with the larger businesses can’t pay and are forced out of business sometimes being a small business makes it more appealing to the hackers in again I’m using that term hackers it’s really attackers hackers is not a good term hackers in general can be good or bad next up on threat posed to says reported across multiple platforms but I mean from threatpost there is a critical to treat bug that put 80,000 corporate lands at risk so I talked about this earlier this week on The cybersecurity Daily digital workspace and Enterprise networks vendor Citrix has an ounce of critical vulnerability in a Citrix application delivery controller ADC for short and Citrix Gateway with exploded it could allow unauthorized remote access to a company’s local network and Terry arbitrary code execution the Citrus products Formerly Known only the necessary to see in Gateway are used for application where traffic management and secure remote access respectively at all and are installed in at least 80,000 company is in 150 countries according to McKayla acquired kick-off a researcher A+ technology the US accounts for about 30% of all Noble organization so it so it doesn’t that’s a lot of businesses this attack does not require access to any accounts and therefore can be performed by any external attacker a noted in research released on Tuesday this one rebuild it allows any unauthorised attacker to not only access published locations Brussels attack other resources of the company’s internal network from the Citrix server while neither Citrus nor positive Technologies release technical details on the bug which is CME 2019 – 1971 they said it affects all supported versions of the product and also supported platforms including Gateway 13.6 netscaler Gateway 12.16 ATC and netscaler Gateway 12 Citrix ATC netscaler Gateway 1121 and also Citrix netscaler agency in a skillet Gateway 10.5 according to the research Citrix applications are using corporate networks set director of security audit Department apposite Technologies in the statement this includes the use for providing terminal access of employees to internal Company applications from any device via the Internet considered a high-risk drop body discovered vulnerability and how widespread Sixers Play software update according to the researchers and there’s a lake dock to the Citrix list of mitigation steps on this Mission says Talon configuration change service communication to the aforementioned vulnerability for stand-alone system there’s some commands you can run and and I’m sure that the change that take place on primary again are some commands you can run it looks like it’s a lot of commands so you’re going to want to go to that article from on the 6th website to sports Districts website and updated as necessary security news earlier this year when cyber attackers use password spraying techniques to make off with 6 terabytes of internal documents and other data so they probably use that information to compromise Citrus further this year the attackers are intermittent infrastructure between October 13th 2018 and March 8th 2019 the countryside and the crooks principal stole business documents and files from company shared network drive that has been used to start current and historical business documents as well as Drive associated with associated with what base to use in our Consulting practice so it doesn’t really leave a warm and fuzzy feeling what’s the trickster and I know Citrix is why the years I work tonight the last I wasted the last real job I had the last real job I had we did have a citrus environment and I I was I know how widely used it is so interested in that particular company used it across multiple countries so it’s a big one or billion if your if your music if you have Citrix environment make sure you take care of it and updated and and mitigate the risk right on bleeping computer new Magellan 2.0 sequel affect many programs I reported this this morning on our daily show as well so she could light is used in a lot of software packages and operating systems including Google Chrome Mozilla Firefox on Windows 10 with had heard about some no Google Chrome Google Chrome there was an updated to mitigate that risk I believe last week take me to a place to Google, this month so one of those updates address this also affects Mozilla Firefox Windows 10 I don’t believe Windows 10 was passed for SQL Lite 2.0 or sequel light in the last Patch Tuesday so we’ll look for that in in January Firefox that don’t believe his updated either so we’ll wait to see but we’re Google Chrome and wasn’t update so if you have not updating Google Chrome to latest version you’re going to want to do that they can they remove the tiger can use the photo to compromise a computer that is through Google Chrome not a I’m not sure what the amount was in the Sunni attacked is the same across the other software and so once again case for this you have software updates available then apply those updates find me update the computer so that I just want to talk about so Windows 10 2004 is than the latest movie latest feature update that will come out in the spring of 2020 and it has a bunch of improvements and not really going to go through all the improvements cuz there are a lot of them if you want to read more about that it’s it will be on bleeping computer., and will be in the show notes to link will be there are some of the cool things I will tell you is that it is added it is upgrading task manager so that you can monitor a little more if you don’t use any remote monitoring tools just going to going to include password list experience some of you may already be using this depending on what you have for a device so instead of password you can use fingerprint or attend or Windows hello experience I don’t use Cortana always disable Cortana but there will be a new court on experience and so there’s a network status page is going to be a little bit different there is but there is a bunch of new feature updates coming in the spring of 2024 Windows 10 users so be on the lookout for that hopefully it’ll break anything let’s move on to our hot topics for the week I said it was a holiday week so there’s not a lot to report or talk about when did not add a new blog post to enlarge text cite this week will try to get one of next week but I did find an interesting article on the verge of Facebook’s new preventive helped with pushes people to advocate for their health and this was actually posted back in October I’m not sure how I missed it until now I don’t really read The Verge so that might have something to do with it and I haven’t seen this. I think it is something you need to opt into but starting October 28th Facebook will let users choose to get personalized reminders about health care test in vaccines the company’s new preventive Health to focus on getting people information about cancer screenings heart check-ups and flu vaccines or I’ll measure that could help hopefully help people catch deadly conditions long before they become lethal the tools of the cultivated of housing is not available Facebook users in the United States it takes years of age and sex from their Facebook profile which is maybe why I don’t have it available to me cuz I didn’t put my birthday on Facebook and it’s a whole nother topic by the way provides them with a list of recommended screenings based on those two data points so let’s say you’re 52 years old Freddy I’m nosey Facebook’s head of healthcare research tells a bird I mean the fact that Facebook has a healthcare research Department that that I don’t know that’s a little scary to me that’s single overboard for Facebook too so I would know I would say this might be a cause for concern and where does that leave them in the hippo Realm one of the things that will come to you based on your American Cancer society’s recommendation is that you should have a cold colorectal cancer screening at Lucy says that the app would then give you more information about what kinds of tests are available from a colonoscopy to a STAR test or CT scan hopes that users were then take what they learned and talk to their primary care physician about what would be best for them so it doesn’t sound like they’re actually collecting information they’re just using your birthday and and gender to say and you need to go do this this marks Facebook second venture to husband at Windsor and other effort promoting local blood drives launch the United States in June after debuting an Indian 2017 overall both of these two girls make a far more simple entry into the house based in other Tech Giants have made Amazon is beginning into online pharmacies and electronic health records show it Amazon has sold another can of worms for themselves to Apples monitoring in which there is an act in legislation Now call regarding that so it’s not just a Palouse new Fitbit there and I have a Samsung watch that does the same thing in contrast Facebook Facebook play Centuries basically enhanced reference pages from official website smash together with a calendar reminder to tell the Triple Rock demographics instead of individual so I guess that’s not really Phi I just wonder why they’re even getting into the healthcare administrative Facebook One-Stop platform on the Internet is there they try to get a new AOL I guess where they just is this entry into something in the future so it’s interesting to me that they have want anything to do with health care at all you know giving violated the HIPAA breach for some reason and I think at this point the answer for that matter but it doesn’t sound like I mentioned that I don’t keep my birthday on Facebook and I know the most people to want that for potential attackers social engineering to occur if your phone number and I seen still a lot of council phone number and email address is on your birthday and then maybe where you live at this is enough information to do some social engineering do some digging around 9 today so you know end of 2019 I know the information and privacy has is is almost non-existent at this point however let’s let’s not make it easier for the social Engineers of the world that hackers of the dad at hackers of the world to take advantage that information so I do not keep my birthday on Facebook here’s a an article that I found Bob actually shared it on Facebook with them in ransomware attack forces Arkansas CO2 fire 300 employees days before Christmas now there are two sides to this, but I’ll get it to the store first so that CEO of a telemarketing company in Sherwood Arkansas as let go 300 plays after the company failed to recover from a ransomware infection once. They deeply apologetic letter to employees the Heritage company CEOs Sandra for Nikki said two months ago the servers were attacked by hackers who demanded a ransom to unlock the system’s despite pain or attackers what did the struggle to get back on its feet the company decided to close shop and let everyone go and so the local news station down in Arkansas to a letter the letter that was written to a new place so the local news station is K TV and then the letter is here I’m not going to read the letter but the letter does sound like you know it sounds very sincere and heartfelt so that I’m going to continue from after interview to the employer said let your employees know something give them a chance to make our own lives in your own hands and a school play God with everybody’s life so just so you know something happened two months ago and why are you waiting until right before Christmas to tell everybody is well and shut down for Christmas save a few dollars I don’t know this is not the first time ransomware shutters a business United States this year Brookside Auntie your nose and throat and hearing center a doctor’s office in Battle Creek Michigan was forced to close its doors after hackers infected is compromising everything for patient records 2 billion formation on like the Heritage company books identity did not pay the rest would likely figured it’s it would have the same outcome anyway and I did report on that earlier this year star and many others reported in the past your loan underscore the dire need to protect any business big or small from ransomware so here’s where it is where I have a problem so sad for the 300 employees and apparently the letter it says that the guy to still working to try to fix the issue 2 months later a week why not just wait to drive white and and install Clean cuz it Doesn’t obviously they didn’t have backups so that’s where I’m going to go with this you have 200 employees what is the it in this in this business I mean I should be backups you should get website backups of anything is critical it should you should have medication steps you know how did the red somewhere get in we don’t know it doesn’t say my guess would be a phishing attack so did we train our employees efficient do we have any fish place it on 90% of all start with a phishing attack so is that what happened here it sounds like maybe it did and we know from Dire Straits where talks you don’t pay the rent somewhere because there’s no guarantee they’re going to give you give you your your files never look there’s no guarantee they’re going to decrypt anyting and the weird part so they gave away seven cruises the week before they let everybody off I don’t know if you know they say they pay for this in July but I would imagine it could have and he’s gotten so many back for those Cruisers and pay two it may be paid for third-party to come in and resolve the issue and it is salt there’s definitely some poor planning going on here the other reason I’m sharing this is it does it does show the potential Devastation that a ransomware attack can have so 300 employees fired not really fired laid off right before Christmas now given the circumstances is there going to be a possible for unemployment I would assume but the devastation this is going to have a 300 families right before Christmas and it’s I mean I don’t know how you going to put that into words you can’t and so this is the this is what we’re playing with people’s livelihood when we’re not addressing the ransom where can I read somewhere that is occurring right now there is ransomware is not specific to any industry I know I talk a lot about health care but is not specific tanning industry they are opportunists they will take whatever they can take as you can see those Ransom was paid they will talk whatever they can attack if you leave one little hole open they’re going to try to exploit that hole and you need to ensure that your business for your livelihood and for those of your employees that you’re protecting everything and so I read earlier in this podcast I went through a list of things that you can do to mitigate the potential potential ransomware attack and then some education and get all your you’re playing with people’s lives when you don’t address the concern it wouldn’t leave the front door open and always miss your area if you live in an area where crime does exist you would not need a front door open when you’re leaving the front door of your business open if you’re not doing anything to mitigate the risk I feel a lot better how about this had I cheat on what they were supposed to do and you can tell they did it because it would be able to restore from backup if they did I’m going to get off my soapbox now let’s move along, switches on the question that I asked earlier about saw solo practitioner and HIPAA and MP requirements five things small practices need to know about HIPAA this is on web PT this blog post doesn’t have a date on it which is actually Nico technique but I don’t see a date so I’m not sure when it was written but it’s relevant so let’s go through the list here at five things that that’s all small practices need to know about HIPAA the first you can only become a covered entity by the performing a cover change the transaction that’s it that’s what I touched on earlier do you electronically transmitted patient information related to cover transactions covered transactions generally include the electronic transmission of claims so if you don’t have insurance then you don’t have to worry about it but if you’re transmitting files electronically to anywhere else then you do and then they don’t really care to hhs’s online tool evaluate your status of soil or covered entity was required to comply with HIPAA but you’re not a covered entity you can stop worrying you can’t accidentally become a covered entity unless in a covered transaction using email make you a covered entity even if you don’t do it, but that’s not true because you can find by HIPAA for having Phi any know if you’re not a kerensky for your intake forms reference Cutthroat does that I would get you because you’re as a member that there’s only one way for two within the scope of HIPAA performing a covered transaction one caveat if you tell your patients that you comply with HIPAA requirements you should do so just doesn’t mean that you can come and get the covered entity or simply means that you should subject yourself to hipaa’s privacy and security requirements because you promised your patience you would do so for example if you’re not a covered entity but your notice of privacy practices since that you knew only HIPAA compliant email software than you could use it the complaint also requires it but because you said you would you must have written privacy policies Is a Mess by the way for the reserve things you need to know about what HIPAA compliance audits are many providers greatest fear but they’re absolutely something for which has explained here and there’s a link to another blog post on the HHS gov site every covered entities and business associate is eligible for an audit audit can beer and a more targeted now at this point on its 10 to be after a breach or after some gross negligence every color rescue business associate is it eligible for an audit audit can deer and a more targeted I just said that the policies and procedures adopted and business associates to meet selected standards and implementation specifications for the privacy and security breach notification rules don’t have any such policies than if it requires that all covered entities maintain written privacy policies and procedures has three main components to a government Regulators are more familiar to maintain adequate policies and procedures is one of the biggest reasons that practices are fried how many you being a good while privacy policies are required they’re not a mere formality in fact they come with some pretty good benefits including providing you with accessible answers to how should I discipline my patients private information out of PT Pub night I’m just going to hit the policies don’t typically address to specific situation but they would give you enough guidance to problem solve it yourself how long should I retain patient record how complex does my WebKinz password need to be members of my clinic Sherry a single computer login what do I do with an old laptop can I use a Wi-Fi at Starbucks and by the way that last the laptop should be disposed of properly and do not use the wi-fi at Starbucks number three required risk assessment will help you tailor HIPAA compliance safeguards to practice needs and that’s incredibly true we’re going to talk about the HIPAA security risk assessment and a moment if it isn’t one-size-fits-all I’m so when you run a security risk assessment you looking for areas of opportunity is essentially and it is requirement once a year or if there’s any changes so let me let me do that when we get to that portion of the podcast but it is requirement at least once a year for without written policy simply just giving a notice of privacy practices document to Patient doesn’t make you at the complaint also true you have a lot to do to become HIPAA compliant in just Distributing Des MPP isn’t enough it’s not even close to enough if I lean up at number five you must have hip agreements with anyone who handles your page information this is extremely turn out or we talked about this last week and it had the education portion of the of the podcast you if you have business associates and a business associate has a subcontractor and it just goes everybody needs to be hipaa-compliant you need a business associate agreement for everybody who is potentially in contact with your Phi there are some practices that will go so far as to give require a business associate agreement for every every vendor that they interact with if you don’t answer that say you have an MSP managing your network of computers and so forth and they threw them you have Office 365 then you should have a business day should have there are Office 365 is the vendor for the IT company they need a business associate agreement from profit from Microsoft and you need a business associate agreement from CIT vendor and that’s how it works you have to have a fan if it’s not a place you’re you’re not complying with HIPAA and you’re putting your your practice at risk being fined at the very least and what we’re saying is that right now where where people that are impacted by that the pictures are also being sued so not really something you want to play with you going to want to sure that you have business associate agreements in place before you begin working with any better alright let’s look at the HIPAA breach notification for the week again not a lot to report cuz it is a holiday week I would imagine next week will be the same but here’s what we have so December 26th in New Mexico hospital just goes malware on and imaging server so they found out we’re on a run radiological Imaging server that had around 500 patients information on malware infection was discovered in November 14th I’m so just over a month for them to to disclose so good job they’re prompt action was taken to isolate the cervix prevent further unauthorised access and then of course they updated the machine to make sure that there were no more about these on the machine so all around this is at Roosevelt General Hospital in Portales New Mexico by the way call Ron wasn’t so I would say it was a good job by the it at New Mexico hospital I’m sorry sir General Hospital in Port Alice Roosevelt General Hospital they recover quickly that isolated and a report to quickly solved on December 24th Christmas Eve we have to the state of Colorado is no to find 12234 mistletoe disclosure of some of the information as a result of a male you are essentially has sent $10,879 to reapply forms with the wrong information out incorrect individuals 12213 individuals have been incorrectly included on those that don’t believe that Phi what is this girl’s butt temperature be on the safe side they are notifying and provide a credit monitoring services for 12 months Sinai Health System phishing attack reported chicago-based Sinai health system as it’s go to the email accounts of two of its employees have been compromised as a result of responses to phishing emails no information has been disclosed about the date of the attack and when it was discovered by Sinai health system has reported a third-party computer forensics experts to turn it on October 16th 2019 at the compromise the child’s container Phi which was potentially access by the attackers so illegal one more time with h i n e mail and no lack of fishing mitigation including multi-factor authentication they do believe that 12578 records were involved and see if there’s anything else for the switch well that’s it it’s just the three this week so I’m quite week for HIPAA breaches to all right time for us to education peace as I mentioned earlier this is we’re going to talk about the security risk assessment today what will quick notes about it first of all the hit the risk assessment should be done at a minimum of at least once every 12 months but it should be done if there’s any changes made in Wisconsin employees especially upper level management changes new equipment in the Department’s anything like that but also should be done if the first assessment uncovered something that needs to be addressed and your dress that thing you should do another one to make sure and it should be done until everything is addressed essentially show that the ship is ongoing but I don’t minimum of every 12 months but that’s required by the OCR it covers three areas administrative physical and Technical so I know it sounds like it should be a security risk it should be just technical maybe physical but it’s it’s an interest rate of physical and technically been in the most common causes for beaches and snooping negligence human error intentional targeting through hacking ransomware fishing also fishing so spear phishing mean they were seeking out at Target only texting is there just hoping there’s somebody does something and then identity theft so what is required for a history of risk assessment I’ll learn how to talk today at the risk assessment for requirement for covered entities to conduct a HIPAA risk assessment is not a new provision of health insurance portability accountability act requirement was first introduced in 2003 in the original HIPAA Privacy Rule is subsequently send it to cover the administrative physical and Technical safeguards of hipaa’s security rule 2013 the final Omnibus updated the HIPAA security rule of the hitech act the new regulations further extended the requirement to get back to HIPAA risk assessment two business associates and also increase the amount of a covered entity they covered entity or business associates could be fine for non-compliance with the regulation levels based on what HHS determines you are culpable soy sauce if it seems as though it’s unintentional the fines are less if it’s unintentional and if it completely negligent and repeated repeated failures than your fines are going to be a lot more severe Dakota to conduct a HIPAA risk assessment can be costly by the way I’m reading this on HIPAA djournal.com in a reason to music at the journal stead of HHS so it’s easier to understand because you’re not using a lot of the legal term terminology by the charity for fines for non-compliance with hit that has historically depending on the number of patients affected by breed protected health information and the level of negligence of all to fines are now issued in the lowest did not know HIPPA violation category because there is little excuse for not knowing that organizations have it on his claim ignorance anymore if you’re on a highway in the speed limit is 55 and you doing 85 when you get pulled over you can’t claim you didn’t know more recently the majority of the fines have been under the willful neglect HIPAA violation category organizations knew or should have known they had responsibility to safeguard their patient personal information included clean the record 5.5 million dollar Financial Against The Advocate Health Care Network are attributable to organizations failing to identify where to the Integrity of Phi existed however since the start of the second round of Hit the audits Vines have also been issued for potential reaches a Phi these are worth laws and regulations security have not been covered by HIPAA risk assessment or where no man has been conducted so when they come in they’re going to ask you for proof of those risk assessments and if you don’t have them or you know it’s just the checklist and you didn’t do it I didn’t do it and with that being said it is you also when when HHS comes into audit they may provide technical information they may say here’s what you need to do to resolve this issue go fix it and then come back and check to make sure you did fix it and if you didn’t fix it then they were going to find you even more so keep that in mind before you just say Okay weather out of our hair cuz you’re not out of your hair it’s not just large medical organizations in fireline and it’s not just medical organizations in firing so another it’s not just a large Hospital networks it’s every practice no matter the size you can be a three-person practice with 10000 records and you’re still in which is considered a small practice you’re still at your still potentially going to be audited especially it just takes one complaint one person to say hey my information was was giving out incorrectly to someone or him or it could be as simple as they ask for their medical records and you didn’t provide it within a certain amount of time and they got fed up and call and it’s not just medical organizations in the firing line either it’s it’s MSP is like like the one I wanted to see if it’s any business associate accounting professionals any business. Uphi is also required to have a risk assessment in place okay so what should I hit the risk assessment consist of US Department of Health and Human Services acknowledges that there is no specific risk analysis methodology this is due to covered entities and business associates very significant capabilities Harbor HS. Provide an objective of Hit the risk assessment. Identify potential risks and vulnerabilities to the confidentiality availability and beauty of all Phi that an organization creates receives maintains or transmits in order to achieve these objectives dhshs an organization should identify identify document potential threats and vulnerabilities security measures used to determine the likelihood of a reasonably anticipated threat determine the potential impact of a breach of Phi to sign risk levels for vulnerability and impact combinations document the assessment and take action where necessary risk assessment is not a one-time exercise assessments should be reviewed periodically and as new work practices are implemented to order a new technologies introduced it just does not provide guidance on the other than to suggest that you may be conducted annually they may be conducted annually depending on an organization circumstances do it at least once a year do the requirements of business associate to conduct risk assessments being introduced in an amendment to the HIPAA security rule many career to choose a business associates Overlook their nessus necessity to collect the HIPAA privacy risk assessment HIPAA privacy risk is equally as important as a security risk but can be much larger undertaking depending on the size of the organization in nature of his business so that’s separate from the security risk assessment does a primary privacy risk assessment and finally there is a tool on hhshs his website that will help you conduct a security risk assessment recently downloaded its Windows only but you download it installed on Windows and run it ask you a bunch of questions you fill in the answers and your kind of like a checklist but however it shouldn’t be treated as a checklist so if you find if you find areas of own abilities you need to address them whatever it might be whether it’s the front desk receptionist doesn’t lock your computer or we’re not using touching medication at all we have an educated or staff on fishing or you haven’t patched a Windows server that storing Phi Phi because it could be a Gateway into your network these are these are all potential things that need to be addressed you know I’ve seen a once walked to a clinic where they had a quick one at the front window where you were supposed to write your name and why you were there but they know that’s a violation so it could be as simple as that I guess you don’t have an area we can have a conversation with your patient we’re not everybody else is going to hear it that’s a violation you know that’s a that’s a risk because Phi could potentially be exposed and by the way I see that a lot I said a lot of pharmacies so that in pharmacies are supposed to be covered under HIPAA so you know you’re going to want to you don’t want to look at those things and address them as they come up that is going to do it for this episode of IT podcast is a little bit shorter this week because not allowed to report I hope that the education piece or any other bit of information you found in this podcast as helpful as always come check out our website and watch Tech. Comments in wa jtech. Com with lots of information blog post this podcast has hosted it that’s all the daily podcast that is not hosted their go check that out it’s it’s on a bunch of platforms I recorded on anchor so check that out in until next Friday 8 how everybody have a good New Year and I will talk to everybody next year and next decade 

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply