HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 11 – Cyber Security Trends for 2020

By January 3, 2020 January 7th, 2020 No Comments
Cyber Security Trends for 2020, Ambulance Company’s, Mobile Apps and HIPAA FB

Episode 11 Cyber Security Trends for 2020, Ambulance Company’s, Mobile Apps and HIPAA.

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Cyber Security Trends for 2020, Ambulance Company’s, Mobile Apps and HIPAA.

This is Episode ELEVEN!   The latest in IT and Cyber Security news plus Cyber Security Trends for 2020, Ambulance Company’s, Mobile Apps and HIPAA.

This is Episode ELEVEN!

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 

Patch Tuesday Update:

No Microsoft Updates for January yet

Python 2.7 has reached EOL

Windows 7 will reach EOL on 1/14/2020

Cyber Security News

The Curious Case of 20 Unsecured Buckets Containing Nearly 48 Million Records

Cloud Hopper cyberattacks, launched by APT10 vs. MSPs and CSPs worldwide, were larger than previously disclosed, a new report says

Cisco critical bugs: Nexus data center switch software needs patching now

Programming language Python 2.7 code is now frozen: Last release coming in April

New Year’s Eve malware attack strikes Travelex, services still offline

Topic 1:  Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance

Topic 2:  2020 Cybersecurity Trends to Watch

Topic 3:  HIPAA Enforcement in 2019

HIPAA Corner: HIPAA & Apps (Right to Access)

https://nwajtech.com/5-guidelines-for-mobile-applications/

https://www.hipaajournal.com/hipaa-compliance-for-medical-software-applications/

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html

https://www.nowsecure.com/blog/2017/03/23/5-vital-tips-developing-hipaa-compliant-mobile-apps-checklist/

HIPAA Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Transcription 

This is the ProactiveIT podcast this week the latest in it and cybersecurity news. Plus cybersecurity trends for 2020 ambulance companies, mobile apps, and HIPAA. What do they have in common? This is Episode 11

Hi everyone and welcome to the proactive it podcast each week we talk about the latest in tech and cyber news compliance and more. We also bring your real-world examples to learn from so you can better protect your business and identity. This podcast is brought to you by unwashed tech a client-focused and security-minded IT consultant located in Central Connecticut. You can find us at and watch tech com that’s NW Aj tech.com. All right, we started off like we start off every episode with a Patch Tuesday update They’re not there are no Microsoft patches mentioned as of yet, I would imagine we’ll hear next week about that. However, do keep in mind that Windows seven end of life is now 11 days away. So if you are still on Windows seven, it is time to move on.  Get off of it.

I wouldn’t even recommend getting the extended service from Microsoft, it’s not even worth it just upgrade to Windows 10. Unless there’s some absolutely undeniable reason you need to remain on Windows seven. But get off of it if you can. Also, of note Python 2.7 has reached end of life, they will stop updating it in April this year. Move on to Python three, I believe it on 3.3. I didn’t verify that. So it might be different, a different number at this point. But I believe it’s 3.3 is definitely Python three, so get on Python three, move away from Python 2.7 or there is at least one module They know if that’s been compromised. We reported that a couple of weeks ago. So you’re going to want to get off of Python 2.7 Alright, so as you know, it is now 2020 little non-cybersecurity related tip for you. I’ve seen this all over the all over Facebook really and all over the internet. But instead of writing, you know, like today’s date one 320 you’re going to want to write one 320 20. And here’s the reason why. It’s already been discovered that some people are taking advantage of you writing just 20 for the year and adding a 17 or 18 or 91 to the end of it. So instead of saying one 320 it’ll say 132 thousand 17 and that could potentially make documents not legally binding, or checks not able to be cashed or, or cashed, earlier or later, you know, whatever the case may be. So instead of writing just 20 for the year, make sure you’re writing 2020 so that it cannot be edited in the news on site where we have the Curious Case of 20 unsecured buckets containing nearly 48 million records. I think I reported this on Monday. on The Daily Show, pet Becker Hello tech and active are some of the companies affected by the incident. data leak has also impacted an app called cluster and real estate answering services company. an investigation led by NBC News has been found that nearly 20 Cloud buckets were left open to the public without passwords. This has affected millions of users across the world. These unguarded buckets have found were found containing nearly 48 million records to name a few episode app called pet Becker, a company that provides information in home Information Technology Services, called Hello tech. You Australia’s largest disability service network provider called active. The data leak has also impacted an app called close to in a real estate answering services company. For the bucket with pet Becker that included driver’s licenses and other sensitive documents from users based in the United States, Czech Republic, Philippines, UK, Malaysia, and Australia. The bucket for Hello tech included thousands of unprotected identity documents belonging to us technicians. So if you are a technician for Hello tech, you’re going to want to make sure that your driver’s license or whatever other ideas you might have are not being used somewhere else. Buck was also filled with images with it serves inside customers home. On protect the cloud bucket used by cluster had exposed 6.4 million photos including those of children at school. And then, a real estate answering service company found millions of voicemails mostly apartment inquiries and maintenance requests that included the caller’s names and cell phone numbers. So peckers response was that they admit The problem stems from users who submitted identity documents via the apps support chat function. I believe they’ve corrected that now. Active investigated the matter and immediately resolve the situation within 45 minutes. So they like that bucket down. And clusters unsecured bucket was available until late on November 26. When it changed the settings on its Cloud Storage. Now, it doesn’t say what cloud storage service any of these companies were using. The term bucket is synonymous with AWS. So I would assume AWS but it does not say that here. You know, other companies like Azure uses blob instead of bucket. You know, it could be a case of wrong terminology, wrong word wrong name, but would have to believe it’s a Ws.

Again, and one of these is a technology coming are all in us. In a sense, they’re all technology companies. But Hello tech is a is a service provider for tech. And so we’re not locking buckets down. we’re exposing data that shouldn’t get exposed, we need to take care of this. It’s not acceptable, especially from a tech from technology companies. It’s not acceptable channel E to E which is part of mssp alert, cloud Hopper, cyber security apt10 accuracy msps. And CSPs harder than previously disclosed real quick, among the additional. So this is going back to 2016, by the way, so, they there were some attacks on who are the companies here so we have CGI group, HP enterprise, IBM and TFO, which were hit harder by a Texan originally thought. And what they uncovered is, investigators alleged many of the major companies tried to Stonewall clients about what was happening inside their networks, Department of Homeland Security striving to revise federal contracts in a way to force csps to comply with future probes. The hack illustrates a weakness at the heart of global business. Namely CSP and MSP can become doorways into end customer systems. We’ve seen that repeatedly last year. And it’s an open question whether hackers are mean inside companies networks today. So there was a HIPAA breach where that was ongoing for more than three years. Now. It wasn’t a hacker it was an employee. But this illustrates the fact that somebody could be stealing or compromising things for years and not get noticed. It also illustrates that it seems that this seems to happen to the larger msps and csps. The ones that their networks almost almost seemed to be too big to manage. Now, not suggesting that a large MSP is as is potentially at risk, I know, large MSP that are doing great.

It’s just that maybe they get in over their heads. I don’t know. I don’t know what the answer there is. But when this happens, what’s happening is now the clients that these MSP CSP support now become victims through no fault of their own most likely. There should be some auditing on the part of the client to say hey, you know, this is a potential problem, but it’s not always possible to find those uncover those in and audit. Also the there’s a comment here the journal found that Hewlett Packard Enterprise company was so over on the cloud company didn’t see the hackers reenter their clients networks even as the company gave customers the all clear.

So look kind of scary.

Let’s let’s you know, let’s make sure MFA in a ditzy where I think we’re going to talk about the predicting that MFA will become the standard over to FA which is great. What we’ll get to that in a moment, I believe, on Zd net Cisco critical bugs Nexus data center switch software needs patching now, Cisco has disclosed it doesn’t bugs affecting its data center Network Manager software including three critical authentication by bugs that expose enterprise customers to remote attacks. Cisco warns that a remote attacker can bypass dcn authentication and carry out tasks with administrative privileges on an effective device. Available updates are highly important for enterprise data center is built with its Nexus nx OS-based switches. DCM is a key component for automating nx OS based network infrastructure deployments. Cisco points to three separate authentication bypass vulnerabilities and assemble advisory. Those are cp 2019 15975. cv 2019 15977 actually lists the same one twice, so and a trio and the trio have a severity rating of 9.8 out of a possible 10. So this is a big deal. If you have the Cisco switches in your environment, you’re going to want to patch them immediately.

On zd net,

I already reported that Python 2.7

will be frozen and last update will be provided in April of this year 2020. Also NZD net New Year’s Eve malware attack strikes travel x. Travel x is a currency exchange provider in UK so the travel ex has been forced offline into manual mode following a malware attack launched on New Year’s Eve. On Thursday, the London based currency exchange today software virus compromises services prompting a decision to pull all services offline is precautionary measure hadn’t considered currency exchange providers as a as a potential victim. So that’ll be interesting to see if that continues, but our investigation today shows no indication that any personal or customer data has been compromised Travelex said in a statement posted on Twitter at the time of writing the Travelex uk website is inaccessible beyond a runtime error notice. The company has switched to manual means to continue its operations in branches found in areas including airports and standalone over the counter stores. Travelex has requested the assistance of third party cyber security professionals to work with internal IT teams and isolating the malware infections. So Interesting. Interesting from our perspective that it is a currency exchange. They’re bringing in, you know, imagine they have a pretty, pretty solid IT team, but to bring in third party to help out. Quick note on Tick Tock. The US Army has banned the social media app from government issued phones. There continue to be security concerns about it, of course related to China. So if you are using Tick tock, you might want to be careful what you’re sharing, you know, potentially, facial recognition being stolen. As we know facial recognition is a method of biometrics. And of course, we have a concern for deep fix, which I’m also going to briefly talk about in a moment. That’s going to do it for this week’s cybersecurity news.

Let’s move on to our hot topics for the week.

Alright, so each week as you know, we take two or three topics and drill down, discuss them a little bit further things that would be relevant to your cybersecurity or your compliance world. So we’re going to start off with the HHS notification for ambulance company pay $65,000 to settle allegations of long standing. long standing HIPAA compliance West Georgia ambulance has agreed to pay $65,000 to the Office of Civil Rights at the US Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act security role. So the Security Rule, as you may know, relates to EPA Chai electronic protected health information. West Georgia is an ambulance company that provides emergency and non emergency services in Carroll County, Georgia. OCR began its investigation after was Georgia filed a breach report in 2013. So this is going back more than six years. Concerning the loss of an unencrypted laptop containing the protected health information of 500 individuals are the new day not in Congress Exactly. 500 but OCR investigation uncovered long-standing non-compliance with HIPAA rules including failures to conduct a risk analysis, provide a security awareness and training program and implement HIPAA Security Rule policies and procedures despite OCR investigation and technical assistance so that’s key. West Georgia did not take meaningful steps to address their systemic failures. The last thing patients being wheeled into the back of an ambulance shouldn’t have to worry about is the privacy and security the medical information said OCR director Roger Severino. All providers large and small need to take their obligations seriously. So that’s in addition to the monetary settlement, West, Georgia will undertake a corrective action plan that includes two years of monitoring. And I’m going to go to the resolution agreement in a moment. But let’s take that statement for a second. The last thing patients being wheeled into the back of an ambulance should have to worry about is privacy and security of their medical information. All providers large and small need to take their HIPAA obligations seriously. So what does that tell you? That tells you that all of those small practices, whether they’re healthcare, healthcare providers, ambulance services, dental providers, insurance companies, whatever they might be, clearinghouses, whatever they might be,  You are a potential subject of a HIPAA investigation. And I’ve said it before, it just takes one complaint. And in this case, an unencrypted laptop. Now this goes back Six plus years when maybe encryption wasn’t forefront of everybody’s mind. So hopefully, that I mean we’ve seen it and I’m so I’m going to talk about that shortly to there there was. There’s a list of all the HIPAA enforcement for this year. So we’ll talk about that. But HIPAA enforcement, as we can see, can go back to two incidents from six years ago, seven years ago. But there have been incidents this year with unencrypted devices still, it amazes me that we’re not encrypting not to say that desktop shouldn’t be encrypted. They should be there was a case where a business in California had their desktop stolen, you know, their door kicked in and their desktop was stolen. Not as likely as a laptop being stolen. Nope, not as likely. I mean, why are we still using flash drives at all these days when we have cloud storage, it just that makes zero sense. But, you know, encrypting a flash drive, a USB drive encrypting a laptop, it doesn’t it’s not a lot of effort. There’s not a lot of effort involved and it only takes a few minutes usually get it done, Stop messing around with people’s information, encrypt those laptops and encrypt those USB drives, encrypt those desktops, encrypt everything that needs to be any anything that has data on it should be encrypted. But sensitive data, you know. The other piece that I want to point to here is despite OCR investigation and technical assistance, so if OCR comes in, does their thing and says, here’s what you need to do, you need to take that seriously, even if you don’t agree with it, you need to take it seriously. Because if they’re saying this it needs to get done, and then they come back and it’s not done you’re going to be fined. Now, this was a settlement $65,000 settlement. I don’t know what the original dollar amount was but they settled for 65,000. If you are neglectful, which means they came in, they said, This is what you need to do, and you still chose not to do it. You could be fined up to $1.5 million. So you need to take that seriously if they come in, and then give you a break to say, All right, here’s what we found. You haven’t taken this seriously. You need to take a seriously now and you still don’t do it. You’re going to get fined. I could promise you and I do believe that 2020 will be a very strong year for OCR for HHS to come in and an audit people and potentially find people they don’t, you know, they say they don’t want to find people. And I do believe them because they do give healthcare practices the opportunity to correct whatever it is that needs to be corrected. But then these providers aren’t taking it seriously. Now the end so that’s on the HHS website. You can use can just look up the name of this company pays 65,000. Or if you just search for West Georgia ambulance, I’m sure it’ll come up. But then if you click through there is the actual agreement from HHS, and in the agreement, it says a covered entity did not so the ambulance company is a covered entity, under HIPAA right, did not conduct an accurate and thorough risk analysis of the potential risks of old building vulnerabilities to the confidentiality, integrity and availability of all of its epi. That’s the Security Rule. The covered entity failed to have a HIPAA security training program and failed to provide security training to its employees. also part of the Security Rule, a covered entity has failed to implement Security Rule policies or procedures.

Now, so that’s what they fine them for.

Those are the things that they got but this is after. This is after they said this is what you need to do to fix that. problem and they did not take it seriously. So before you assume that your healthcare practice is too small and be that you can ignore the OCR, think twice. Okay. Moving on to the next topic 2020 this is on threat posts this next 120 20 cybersecurity trends to watch so they have a little slide show like I mentioned on my cybersecurity deal yesterday. I’m not a big fan of the slideshow. presentations, I guess on websites, they’re just annoying to me. I would rather just read a straight down but Anyway, I digress. These are the top trends for 2020 to watch. ransomware was the scourge of 2019 and will also be in 2020. There really is not a solution for ransomware yet until we don’t make it profitable. ad-libbing now, by the way, until they don’t make it profitable for the ransomware attackers till they find a way to stop making In a profitable that’s going to continue organized cyber gangs will shift focus from leveraging banking Trojans and huge multimillion-dollar swift related heist and instead focus on smaller ransomware attacks, meaning smaller businesses as well. Why? Because they are easier to anonymize easier to launder, and require less sharing of illicit profits with street gangs that launder bank fraud process proceeds. So smaller businesses, you know, if you’re 50 employees, and we saw the business that was 300 employees that had to end up ended up closing, but 50 employees making, I don’t know a couple of million dollars a year might decide I’m just going to pay a $50,000 ransom rather than deal with this. And then they don’t those people then don’t have to launder money because now it’s not a bank. So we’ll see how that goes. But that’s the prediction and I would tend to agree with that. Mobile will become a primary fishing vector for credentials. Saxon 2020 I do believe you’re going to see an increase in voice fishing, also known as fishing, and text fishing, which is smishing. So you’re going to see an increase on those things that I do believe that traditional secure email gateways block potential phishing emails and malicious URLs, which works for protecting corporate email from account takeover attacks, but the glicks mobile attack vectors including personal email, social network and other mobile-centric messaging platforms, such as secure messaging apps, and SMS MMS, according to look out security experts now. phishing emails still work. Yes, a lot of them are ending up in spam filters. And there is software out there but it’s still working. We see it in HIPAA breaches all the time still. As software development increases, so the need to nip security threats in the bud so notorious notoriously, well-known developers do not focus on security. The attack and that’s not to say all developers before you guys shoot my head, shoot me in the head but the attack surface has grown from local code to pipeline code to answer the challenge I dev sec ops mindset must prevail. So it may be new positions to develop development security operations. Say security post swap code is special needs to start from app inception to production in 20 26%. We’re seeing seeing organizations start to build security into each phase of the development pipeline, and expect to see more of this shift in 2020. rover codes Suzanne chicon. As more corporate infrastructure moves to the cloud, so will focus of criminal criminals. good news and bad news. Following this trend is conducting an attack will become harder and the actions of threat actors will become more sophisticated to more frequent relying on chance rather than planning. That’s according to Kaspersky. Global adoption of 5g infrastructure technology will begin in earnest in 2020. That will give rise to an uptick and edge edge computing and a host A new connected IoT devices. Add to that some old issues magnified by the massive 5g build out switches authentication, confidentiality, authorization, availability and data security companies will reach a critical mass with these devices in 2020, forcing them to reevaluate their risk paradigm for connected devices. That’s according to force scout. Authentication will move from two factor authentication multi factor authentication you including biometrics, so that’s really good news. And that’s according to look out security. The company said in 2019, so implementation of one time authorization codes to provide two factor authentication circumvented and advanced phishing attacks. That is very true. We saw that with jack Dorsey’s Twitter account, and then it just happened on I think New Year’s Eve or New Year’s Day with Mariah Carey’s account.

Unknown Speaker 23:51
To protect against credential theft and to address regulatory compliance. And prizes are increasingly adopting multi factor authentication environment tricks using mobile devices to company. So I’ll tell you how I have it, I have my my smart devices have biometrics, you know, either facial recognition or thumbprint or both in some cases, and then I have soft tokens now there was a group at 20 in China figured out how to compromise two factor authentication with soft tokens. But that was that was computer based soft tokens so it wasn’t on smartphone so there’s going to be challenges of course, but the more you put in place to mitigate risks, to better you are multi factor authentication with biometrics Is it far superior authentication method in two factor authentication, but two factor is better than nothing so use something specific, specific attacks such as fishing will continue to leverage machine learning to automate the optimization of campaigns, fishing lures, and landing pages will be a be tested by algorithms. algorithms to improve conversion rates while new domains will be regenerated and registered by AI algorithms. So for those of you that buy domains, which I do a little bit of got more competition. Last year one interest in deep fixed peaked as proof. Oh, I’m sorry. Last year our interest in deep fixed peak as proof of concept is simple surface and real one suede opinion and trick one company out of $243,000 deep fake technology used against businesses, businesses and in misinformation campaigns. campaigns I’ll learn to talk to that promise are predicted to ramp up in 2020. The problem is forecast to become as pervasive that by 2023, up to 30% of World News and video content will be authenticated as real by blockchain, countering deep fake technology. So it’s interesting that blockchain is being mentioned here. If you’re not familiar with deep fakes, it’s kind of what it sounds like they’re using fake Images, fake videos fake voice to create content, whether it’s news or ads or you know, I’m sure I’m sure you could see where this could go. So to combat that, we’re looking at blockchain technology. So technology is advancing quickly. And if you want to remain involved in technology going to need to stay caught up. Not really prediction, but Microsoft will end windows seven support on January 14, that’s just 11 days away at the time of this recording. For most consumers and businesses that do not have extended support in place, that means Microsoft will stop patching in regularly updating the OS even when a security vulnerability is found. history will repeat itself in 2020 with at least one major attack leveraging a vulnerability to affect companies around the world similar to what we saw with the end of life Windows XP for Scott and then you we do know Want to cry

Unknown Speaker 27:01
impacted

Unknown Speaker 27:04
windows seven a couple of years ago. So in a lot of those computers are still haven’t been patched for that. And then finally driven by the high cost of sophisticated malware based attacks, a rise in insider attacks or forecast for 2020 direct attacks on infrastructure is becoming more more much more expensive, acquiring more and more skills and time for the attacker. So the good news is, we’re doing better at securing our networks. Bad news is there’s another way. There’s always another way. Kaspersky This is according to Kaspersky. As a result, the year ahead, we’ll see growth in the number of attacks using social engineering methods. The human factory means a weak link and security as a result, taxes will be willing to offer large amounts of money to insiders. The price for insiders varies from region to region and depends on the targets position in the company, according to Kaspersky. So that’s

Unknown Speaker 27:51
some serious,

Unknown Speaker 27:52
serious stuff going on their social engineering, the most common form of social engineering, you may be familiar with this fishing. But there are lots of other ways to socially engineer someone. And you can probably see the deep pics can be used in that. Maybe we’ll do a special episode on just social engineering at some point. And then our final bit of deep dive here is HIPAA enforcement and review for 2019. So it’s been another year of heavy emphasis on HIPAA journal has been another year of heavy enforcement of HIPAA compliance, HIPAA enforcement and 2019 by the d. h. d, HHS and OCR has resulted in 10 financial penalties for a total of $12.274 million

Unknown Speaker 28:38
and

Unknown Speaker 28:40
2019. So one civil monetary penalty issued and settlements were reached with nine entities. One fewer than 2018. And then by the way, that doesn’t mean they’re going to slow down their idea. Absolutely. Absolutely will pick it up. I do believe in 2020. So here’s the penalties for 2019 you have touched on medical imaging. 65,000 Medical Informatics engineering 3 million Bayfront health. St. Petersburg 100,000 Elite dentist Association 10,000 Jackson health system 85,000 that Dental Associates one I wrote about that. Sort of that was a that was a Yelp review. respond to a Yelp review. So a dentist are subject to HIPAA and be don’t don’t do that on on social media. University of Rochester Medical Center 2.15 million, Texas Department of Aging and Disability Services, 3 million centerra hospitals 1.6 million kuranda Medical LLC 2.175 million in West Georgia amulets we just talked about momentarily, or a few minutes ago $85,000. And then a breakdown of the compliance issues cited in the 20th 19 enforcement action. So this is just the ones that had to pony up some cash. And so these go back, some, in some cases, as we just heard six or seven years, so risk analysis, meaning no risk analysis was done five in five of those 10 cases, half of those cases did not have a risk analysis completed. Breach Notification rules, not follow three of those cases. So I think one of those cases was an argument between OCR and the health care provider about how many people were actually impacted. access controls to those and we saw a few of those this year of breaches not not enforcement’s, but breaches, where the access controls were not

Unknown Speaker 30:41
what they should have been.

Unknown Speaker 30:42
business associate agreements meaning, meaning they did not have a business associate agreement in place to member business associates are covered under HIPAA meaning they could also be penalized under HIPAA. But if you don’t have a business associate agreement in place Not sure it’s enforceable

Unknown Speaker 31:02
HIPAA right of access.

Unknown Speaker 31:04
So this is there was two of those, by the way. So HIPAA right of access also to meaning somebody asked for their records and you didn’t supply them in a timely manner. Security Rule policies and procedures. So this is epi, you’re not following policies or procedures just to device in media controls one failure to respond to a security incident one, Information System activity monitoring one, no encryption one, and that was the ambulance. There have been some cases of no encryption reported this year. Those have not been investigations haven’t been completed yet. notices of Privacy Practices one so we’re not even given a piece of paper that says this is our privacy practice. privacy rules, policies and procedures, one risk management, one, security awareness training for employees. One I’m impressed it’s not higher. And then social media disclosures one that would have been the dentist. So that’s going to do it for the news. We’re going to move on to our HIPAA breach Roundup.

Unknown Speaker 32:13
Alright, it was a fairly light week for HIPAA breaches, HIPAA breach notifications, there was only three which is not bad for a week. North auto a community health system and o ch has discovered an employee at North auto a community health hospital in Grand Haven Michigan. access to medical records of patients without authorization over a period of three years. So I mentioned this earlier briefly. The matter was brought to the attention of health system on October 15 by another employee, and investigation into the alleged inappropriate access was launched on October 17. And the employee was suspended pending the outcome of the investigation, and rch confirmed on November 25. That the employees had access to medical records of 4013 patients without legitimate work reason for doing so between May 2016 and October 2019. So about three and a half years, there appeared to be no discernible pattern to the unauthorized access patient records appear to have been accessed at random. No evidence was found to suggest that any patient information was stolen. And OC believes the employee was access and patient information out of curiosity, types of information potentially access to including names, dates of birth, social security numbers, Medicare and Medicaid numbers, health insurance information and some health information. Any patient whose social security number was viewable has been offered complimentary credit monitoring and identity theft protection services for 12 months. For the training on an OC h policies covering medical record access have been provided to all staff members and employee access to patient records has been tightened. That should have been done

Unknown Speaker 33:49
from jump

Unknown Speaker 33:51
again access controls. The breach has been reported to the Department of Health and Human Services offices over rights is up to OCR to side if any further action is taken against the employee over the HIPAA violation.

Unknown Speaker 34:06
So it’s interesting because the employee,

Unknown Speaker 34:09
I guess, would be considered a business associate. Not sure how that would work, but it’s

Unknown Speaker 34:15
it does say further action against the employee.

Unknown Speaker 34:19
cyber attack force is shut down of

Unknown Speaker 34:21
Center for Health

Unknown Speaker 34:22
Care Services computer systems, the Center for Healthcare Services in San Antonio, Texas experienced a cyber attack over the holiday period. This is back Christmas, which forced to shut down his computer systems. DHCS provides health care services for individuals with mental health disorders, developmental disabilities and substance abuse disorder and operate several walking clinics and outreach centers in San Antonio. To see HCS IT team determined that a single server had been compromised after being alerted about the cyber attack by federal officials. The decision was taken to shut down its entire computer system as a precaution. The IT department has stated has started restoring his computer systems and bringing them back online one by one starting with the systems that at its largest clinics this process is expected to take several days. cyber attack was part of a larger attack that started before the holiday period is currently unclear how many other organizations have been affected. And finally, Amy and Robert H. Lurie Children’s Hospital Chicago fires worker fund authorized

Unknown Speaker 35:21
medical record access

Unknown Speaker 35:23
who in the same week,

Unknown Speaker 35:25
pediatrics is a pediatric specialty hospital in Chicago, Illinois has discovered a former employee access to medical records of certain patients without a legitimate work reason for doing so. You unauthorized access occur between September 10 of 2018 is September 22 2019. So this one on check for just over a year. The hospital learned of the HIPAA violation in November 15 2019 and immediately terminated the employees access to all patient information while the incident was investigated. The employee was subsequently discipline for violation of HIPAA and hospital policies and was terminated employment was unable to view full social security numbers, financial information or health insurance information. The only types of information that could have been viewed were names addresses, dates of birth diagnosis, appointment dates, medical procedures and other limited medical information. The breach notice published on the hospital’s website makes no mention of the reason why the former employer was accessing patient information. But the hospital says there is no reason to suspect that any patient information has been stolen further

Unknown Speaker 36:25
disclosed or misused.

Unknown Speaker 36:28
Patients affected by the breach were notified by mail on December 26. As a precaution and it gets misuse of their personal and health information. Effective patients have been advised to monitor the statements they received from their health care provider. A spokesperson for the hospital said Lurie children’s deeply requested that this this incident occurred and confirm the steps have been taken to prevent any further incident of this nature from occurring in the future, including providing further training for employees and hospitals policies

Unknown Speaker 36:55
regarding unauthorized access for patient records.

Unknown Speaker 36:59
The incident has you Yet to appear in the Department of Health and Human Services Office of Civil Rights breach portal, which is also known as the HIPAA wall of shame. So it is currently unclear how many patients have been affected. So we have two cases of access controls, maybe not being appropriate for the employee. In each case, they said that they will take further action, you know, a little too little too late. I don’t know if this is something, it’s hard. I’m not going to say it’s easy to do. It’s easy to put access controls in place, that’s not hard to do. What’s hard to do is to make sure the right access controls are in place. So you know, if a ticket is created, sent to help desk saying, here’s our new employee, this is the rights they need access to or updated to. It’s you know, it’s easy, as easy as it is to set up it’s also easy to potentially give the wrong access control. So there needs to be some type of auditing in place. And we need to do a better job of this today. In the same week reported, Alright, we’re going to move on to our our HIPAA education for the week we’re going to talk about HIPAA applications or mobile applications and HIPAA.

Unknown Speaker 38:24
Alright, so, over the holidays, didn’t do a lot of writing. I did put something together. Right after New Year’s, so

Unknown Speaker 38:35
we’re going to talk about

Unknown Speaker 38:36
it. It is something that should be talked about,

Unknown Speaker 38:39
and that is HIPAA

Unknown Speaker 38:42
as it applies to mobile applications.

Unknown Speaker 38:44
So five need to know guidelines for mobile applications in HIPAA. Now, I did a lot of research, most of the information I got I got from the HHS website, but there are the blog post similar to this out there. So I’ll include some of them in my show notes, but You know, feel free to research this on your own as well, but it’s not, you know, you know, you might be surprised your your HIPAA, you may not have any HIPAA rights, depending on the application you’re using as a patient and healthcare providers need to understand that as well. Not that they have any liability, which we’re going to get into, but because they should protect our patients remember, at the end of the day, HIPAA is about patient care not about

Unknown Speaker 39:28
rules and regulations and penalties and

Unknown Speaker 39:32
making everybody’s life

Unknown Speaker 39:35
a nightmare. It’s just about making sure that patients information is not exposed,

Unknown Speaker 39:40
and that everybody’s

Unknown Speaker 39:43
every all the patients are

Unknown Speaker 39:46
protected. I mean, initially, HIPAA started out as a way to make sure that insurance if you went left one job and went to another job, you had insurance and making sure Sure that insurance companies were not not,

Unknown Speaker 40:06
what’s the word I’m looking for not compromising your information.

Unknown Speaker 40:08
So I’ll start the blog post. So HIPAA was passed in 1996. So that’s what I’m kind of trying to get to here. That was 24 years ago as of this blog post 24 years ago. So think about what’s changed in 24 years. 24 years ago, internet was kind of, kind of in its infancy still, a lot of people were still using dial up. Some people may have had DSL, which was a little bit faster than dial up. Not much. Funny how that hasn’t changed much over the years. But now you know, today internet is widely available. We didn’t have smartphones yet. There were no mobile applications yet. Things there wasn’t electronic medical records, electronic health records yet. So a lot has changed in that 24 years in that short 24 years. That’s not to say there haven’t been there haven’t been updates to HIPAA. There have been As we know, the high tech rules, Omnibus rule, things like that the security rules, those things have been added to HIPAA. As we know today, not and there will be changes, I do believe in this year, probably. But there haven’t been there. And but there haven’t been any changes in the last, I don’t know, six years or so a little, little more than six years. So that’s interesting,

Unknown Speaker 41:28
because even in the last six years technologies

Unknown Speaker 41:30
dramatically changed your smartphone today is more powerful than a computer was five or six years ago.

Unknown Speaker 41:38
A regular you know,

Unknown Speaker 41:40
available to the public computer was five or six years ago, there will likely be updates to HIPAA to address rapidly changing technology, but it’s hard to imagine any legislation keeping up with tech. So that being said, what I’m what am I saying there? So legislation moves slow. In today’s environment legislation moves slow. We’re Lots of legislation out there for privacy, not just with HIPAA, but privacy overall there’s the smartphone app, the smartphone privacy, not really smartphone smart device privacy as it relates to health care. You know, you have your smart watches that track heart rates and all kinds of other medical information. So people are trying to come up with ways to protect that information. There’s copra, potentially coming out, which would be our version of GDPR. There’s lots of legislation out there but it moves slow and it doesn’t move at the speed of tech tech

Unknown Speaker 42:33
moves very fast.

Unknown Speaker 42:34
hhs did clarify mobile applications in

Unknown Speaker 42:37
HIPAA. And I link back to those

Unknown Speaker 42:42
conversations on the HHS website.

Unknown Speaker 42:46
I wrote about and tried to put in layman’s terms

Unknown Speaker 42:48
as best as possible for the purpose of this blog. Siemens covered entity NBA means business associate agreement. So the five guidelines for mobile applications and HIPAA if a covered entity develops and maintains the app, They are responsible for

Unknown Speaker 43:01
protecting pH, they must comply with HIPAA Security Rule

Unknown Speaker 43:04
that must be included in the covered entities risk analysis and corresponding plan to do not develop the app then they need not worry about Phl within the app, the app developers responsible for security

Unknown Speaker 43:15
and the app and protecting pH I,

Unknown Speaker 43:17
that is, if the app developer is the EHR provider, the EHR vendor for the covered entity. If the covered entity did not develop and or does not maintain the opt in the covered entity is not liable in the event of a breach involving pH I wants to patient request their health information be delivered to them via an app in this scenario, their healthcare practices no longer responsible for the health care information. So as you can imagine, if if the patient says hey, I need my healthcare records, and I want to send to this app, or I want it sent to this email or wherever they want to send to the health care provider really has no control over after it leaves their hands. So there’s no saying now that that patient doesn’t, you know, put it on Facebook and say hey, look at this. healthcare provider has no control over to that point. The same applies to the HR that a healthcare practice uses. If the patient’s request for the healthcare information is passed to an app developed and maintained by the EHR vendor, EHR vendor is liable for any breaches under the HIPAA. If the app is developed by a third party with no relationship to the EHR vendor than EHR vendor is not liable if a HIPAA breach occurs. A covered entity cannot refuse to provide healthcare information as requested by a patient Despite concerns over the security of an app. It business associate agreement is required if the app creates

Unknown Speaker 44:32
maintains receives or transmit psi,

Unknown Speaker 44:35
or if the app was provided to the patient by the covered entity directly or through its EHR. If the app was not provided by the covered entity and does not facilitate the creation, maintenance receipt or transmission, a pH on behalf of the covered entity, then a BA is not required. In a nutshell, app developers, app developers should utilize security best practices regardless

Unknown Speaker 44:56
of where they fall under HIPAA, but they’re not

Unknown Speaker 45:00
Patients should be cautious of how their pH is transmitted, regardless of who provided the app. apps that are not provided by covered entity are not liable under HIPAA and therefore can share Ph. I and I put sharing quotes because I’m not saying they will.

Unknown Speaker 45:15
I’m not saying they should I’m saying they could

Unknown Speaker 45:17
do that potentially. The more likely scenario is this, you get your healthcare records, and then you input it into an app that tracks your health, for fitness or for weight loss or something like that. So that’s the more likely scenario to occur. HIPAA does not regulate how an app acting as a designee of the patient and not the covered entity can use the PHR provided by the covered entity. In other words, if I get my healthcare records and then I share with my spouse, I am given it that’s my designee.

Unknown Speaker 45:50
So I’m saying what I’m saying is

Unknown Speaker 45:53
you should, you should treat an app not provided by your healthcare provider, just like you would treat it as a friend. Giving you healthcare records to you, there’s no guarantee that they’re going to keep it safe. You could trust them. But that doesn’t mean they will keep you safe. You know, they put it in a car, they leave it on the roof of the car, they drive off and it flies away, or you know, the share with somebody else in the family or whatever it could be. So that’s how you should treat it. I would treat even with more. What’s the word I’m looking for more. I would be more careful with this information with an app because you don’t know the creators of the app, at least with if you’re sharing it with a spouse or a friend, you know them.

Unknown Speaker 46:36
If, in other words, if you choose a third party app not provided

Unknown Speaker 46:39
by a healthcare provider, then you will potentially expose your healthcare information, especially if the app includes the right to share their terms in their terms of usage. So in other words, we don’t read the terms of usage terms of agreement on apps anymore. Nobody really reads it. It’s a lot to read. I’m sure a few people out there read it, but most don’t. You just accept the terms and you continue on You don’t know what those terms are saying. So you need to be careful with what you’re using.

Unknown Speaker 47:06
When it comes to your health information and also your

Unknown Speaker 47:09
your sensitive information like Social Security, number of credit card numbers, things like that. health, health care providers can express their concerns with third party app not provided by the healthcare provider to the patient when a request for the patient’s healthcare records are made. They cannot, they cannot refuse to deliver those records. Refusing to deliver the PII pH is requested by a patient is a potential HIPAA violation under HIPAA right of access.

Unknown Speaker 47:35
So here’s an example of HIPAA liability mobile apps. My children’s pediatrician provided an app to communicate, update and deliver their health information. The app is called follow my help health sorry, follow my health and is provided through a very commonly used HR and healthcare. It’s called all scripts. Now there wasn’t all scripts breach. I don’t remember when it was but not that long ago. So That’s not to say all scripts is is by any means. The best HR out there I know there are others put take day are they’ve been around for a while. And they are. They do provide follow my health since the app is provided by the HR that the pediatrician uses than a pediatrician. All scripts in follow and follow my health are mostly all scripts and follow my health are liable under HIPAA, HIPAA breach of follow my health might mean a pediatrician could be liable as a covered entity in this case, the high tech act and Omnibus rule put more of the onus on all scripts of home health as these additions to HIPAA now make business associates liable under HIPAA, but the pediatrician could be but not likely, depending on the scenario. liable as well is my kids pediatrician decided not to provide an app and I made a request for their healthcare records to another third party app. The pediatrician is off the hook in the event of a HIPAA breach through the app. They should at least warn me of the risk but that is Not a requirement. They do not they do have to provide records under patients rights of access. But that’s not the only requirements in this scenario. So that’s HIPAA, HIPAA and mobile applications in a nutshell. If you are using a third party app as a patient, you’re going to need to be extremely cautious, extremely careful with that. Unless you just don’t care. I mean, let’s be honest, there are some people out there that don’t care if their healthcare records are compromised.

Unknown Speaker 49:32
If your app is provided means

Unknown Speaker 49:35
created and maintained and provided by your healthcare provider, then absolutely, you should feel secure. And you should be concerned if a HIPAA breach occurs in the covered entity, the healthcare provider in this case, is liable under that under the rules here. I expect to see more of this as we continue through the year and through the next few years. As we know, everything is becoming more and more mobile and smart, smart device focused. We’re going to get to a point where smartphones are our thing of the past, and I don’t think we’re that far off. So it’ll be interesting to see how this transforms as well.

Unknown Speaker 50:17
That is going to do it for this

Unknown Speaker 50:19
episode of the productive it podcast episode number 11. Thank you for joining me today. Welcome to 2020. I hope it to be a fruitful and successful year for everybody. And until next week, everyone, enjoy it. Have a great week

Unknown Speaker 50:36
and stay secure

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply