Podcast: Play in new window | Download
Subscribe: RSS
ProactiveIT Ep 13 – The NSA Is Playing Nice, Healthcare Data Breaches Will Cost $4 Billion in 2020 and What Does the FTC Have to Do With HIPAA
This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus The NSA Playing Nice, HIPAA Settlement Review and some HIPAA Education
This is Episode 13!
Intro
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Patch Tuesday Update:
Microsoft Releases January 2020 Office Updates With Crash Fixes
Firefox 72.0.1
Python 2.7 has reached EOL
Windows 7 EOL is on Patch Tuesday 1/14
Google Chrome 79.0.3945.130 (To Address MS Vulnerability
Juniper Networks Releases Security Updates
Cisco Releases Security Updates for Multiple Products
https://www.us-cert.gov/ncas/current-activity
Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities
Cyber Security News
Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability
Anticipating the First Cybersecurity Enforcement Action by NYDFS
Equifax Settles Class-Action Breach Lawsuit for $380.5M
Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020
Hot Topics
Topic 1: NSA’s First Public Vulnerability Disclosure: An Effort to Build Trust
Topic 2: OCR Settles Second Case in HIPAA Right of Access Initiative
Topic 3: Time to Review Your Internal MSP Security
HIPAA Corner:
https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-ftc-act/index.html
HIPAA Breaches
https://www.hipaajournal.com/category/hipaa-breach-news/
Transcription
This is the proactive it podcast this week the latest in it in cyber security news. Plus the NSA playing nice, HIPAA settlement review and some HIPAA education. This is Episode 13 Hi everyone and welcome to the proactive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so you can better protect your business and identity. This podcast is brought to you by new watch tech a client focused and security minded IT consultant located in Central Connecticut. You can find us at new watch tech com that’s NW Aj tech.com. All right, we start the show off like we start every weekly episode off with our Patch Tuesday update, and there is quite a bit of news. So we already told you last week about Microsoft released in January 2020 office updates that involved crash fixes we told you about Firefox 72 point 0.1. And we reported I believe, the week before that, Python 2.7 reached end of life. So this week was the end of life for Windows seven. And as a result, of course, Tuesday, Tuesday, January 14, there were some patches released and I’m going to go through all of the all of the software and hardware that has patching available for this week. So Oracle released January 2020 security bulletin They’re allegedly there was this is the most releases from Oracle they’ve ever had security releases patching, patching updates that they’ve ever done in one month. So that’s interesting. Adobe released security updates, primarily for illustrator CC. VMware released security updates, Intel released security updates. Microsoft released a bunch of its security updates. And we’re going to talk a little later on in the episode about how the NSA actually warned them of a critical vulnerability. So more of a more of the the China play nice, I guess you could say. So that’s interesting that they’re doing that Citrix, there was an advisory. There’s a utility now available for the Citrix vulnerability that we reported on so Citrix ADC and Citrix gateway, vulnerabilities, different few different versions. There is a vulnerability that is still unpatched, but there’s a utility to check whether or not you are You’re your environment is vulnerable. So go check that out on the syczyk site. Let’s quickly talk about what is being patched for Microsoft. So again, Windows 2007, I’m sorry, Windows seven, not 2007. Windows seven is no longer going to be supported. And server 2008 is no longer going to be supported. So you will need to update those systems. Critical I’m only going to talk about critical patches, critical vulnerabilities being addressed by Microsoft here at net framework has several critical vulnerabilities addressed. ASP. NET has a vulnerability is critical vulnerability being addressed and RDP once again, with a few vulnerabilities being addressed. I have been recommending as much as possible, that if you use remote desktop to get you you, if you use remote desktop, make sure you’re doing it in a secure manner over VPN. Third Party utilities to lock it down further or internally only don’t block block external access to it. If you don’t use it, turn it off. And don’t use it, use a use another method of remoting. And can finally Google did update chrome to address the vulnerability in Windows. With the report, the NSA reported windows crypto API flaw. So Google has released 79 Google Chrome 79 point 0.394 5.130 which will detect certificates that attempt to exploit the the NSA discovered CVE 2020 Desh 0601, which again, is the crypto API one windows vulnerability. So update chrome update windows 10. And stay safe. Alright, pretty light. Week for news. So let’s get started big news anyway, so there was lots of little little things going on but not a lot of big topics. So first up, this is this is only impactful to Europe, according to this article, have not been able to confirm whether the US is impacted by this but hundreds of millions of cable modems are vulnerable to new cable haunt vulnerability. So the cable modems using Broadcom chips are vulnerable to a new vulnerability named Kiba haunt. report that 200 million modems in Europe are impacted by this. It does not say anything about the US This is NZD. NET by the way. The vulnerability codenamed kohan is believed to impact an estimated 200 million code cable modems in Europe alone. So that you know that comment. It’s hard to understand whether or not the US is impacted by that. The vulnerability impacts a standard component of Broadcom chips called spectrum analyzer. This is a hardware and software that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is you is often used by internet service providers in debugging connection quality. Most cable modems access to this component is limited for the connections from the internal network. The research team says Broadcom chips spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials and also contains a programming error and its firmware. So researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on a device or involves a little bit of fishing and a little bit of manipulation. But asking you know, I could see phone calls from the ledge cable company saying hey, navigate to this page was an issue with your cable modem. Type in this web address will get this fixed up for you. And I got a call from from someone claiming to be Microsoft today. By the way, those are not. If you get a call from Microsoft it’s not real. So using the cable heart attack, an attacker could change the default DNS server conduct remote Minh and middle attacks which can be dangerous hot swap code or even an entire firmware or even a remote default DNS server could be dangerous. Upload flashing upgrade firmware silently. Disable ISP firmware upgrade, change every config file settings, get and set SNMP Oh ID values change all associated MAC addresses change serial numbers and be exploited in a botnet. There is a proof of concept available. So you’ll want to get that addressed. I don’t know that there’s a patch for that. So you’ll want to get them. You want to make sure you’re not getting tricked into navigating to any web pages that that somebody randomly calls up for this is fishing at its best fishing will call it And it has a list of motives here so I’m going to read them real quick Sage calm fast 3890 Sage calm fast 3686 Technicolor Tc 7230. net keirsey 6250 Mr. Nick your cG 3700 Mr. Nick your cG 37 I said that our stage confessed 3890 stage confessed 3686 these are these are with different firmware versions as well so comp our 72 77284 e compounds 7486 e and neck your cG 3700 EMI. I would imagine there’ll be firmware patches for that shortly. So stay tuned for that. So I found this on law.com this was January six. So it’s a couple weeks old but anticipating the first cyber security enforcement action by ny DFS and number of traditional factors that animate decisions about enforcement points with likelihood in the near term of an enforcement proceeding against one of one or more regulated entities for violation of DFS cybersecurity regulation known as part 500. So we’ve been talking about how data breaches are going to become more and more that privacy laws are going to become more and more important. So you have GDPR. In Europe, we have sees ccpa in California, more states are going to start enforcing these types of things. The question gets asked quite frequently in regulatory circles, will the New York State Department of Financial Services bringing enforcement action under its cybersecurity regulation? And if so, when? The probably answers are yes and soon as discussed below a number of traditional factors that animate decisions about enforcement points would likelihood in the near term of an enforcement proceeding and gets one or more regulated entities for the violation of the DFS cybersecurity regulation known as part 500. background on part 501st issued in March of 2017 part 500 contain a two year implementation period. So obviously, two years is now up, and has been fully effective for approximately nine months generally regulated institutions must implement and maintain a robust, robust cybersecurity program, including such core components as a written policy approved by the board of directors or senior officer setting forth the procedures for protecting information systems and stored nonpublic information and which includes a written Incident Response Plan, designed to promptly respond to and recover from cyber security event. Periodic risks risk assessments sound familiar, updated as necessary to address changes to systems types of data or operations, continuous monitoring or alternatively annual penetration testing and bi annual vulnerability assessments. notification to DFS within 72 hours of qualifies cyber security event, cio Ci ci is so Cisco responsible for overseeing the cyber security program and risk based limits on user access privileges to information systems with periodic review of such privileges, written policies and procedures governing information systems and non public information accessed or held by third party security service providers. Effective controls such as multi factor authentication, and encryption or nonpublic information at rest and in transit, annual certification of compliance by the board of directors or senior officer of the entity regarding enforcement, Part 500. The regulation states it will be enforced by the superintendent pursuant to and is not intended to limit the superintendent’s authority under applicable laws. So that that’s New York, and they do expect that there will be some some enforcement this year sounds a lot like a HIPAA doesn’t it There’s more new article so you can go law.com you do need an account. It is free to read, but it’s on law.com and, of course will be a link in the show notes. Equifax settles class action breach lawsuit for $380.5 million. The breach from 2017 I’m sure we’re all aware, has been settled for $380.5 million. And the effects may be required to pony up another hundred and $25 million if needed to satisfy claims for certain out of pocket expenses or losses. And what does that mean for individuals so anybody involved in a class action suit has until January 22. To claim benefits that means, as of this episode, you have five days. Affected consumers can either sign up for 10 years of free credit monitoring for the usual for the equal cost of $125 or apply for cash payout. Which would make them eligible for up to $20,000. A cash payout would cover serious repercussions from the breach like losses from unauthorized charges to victims accounts or cost of freezing their credit report. Equifax which handles data associated with more than 820 million customers in 91 million businesses worldwide, has been under public scrutiny since September 27 September 2017 when it disclosed a data breach, the attackers accessed information containing social security numbers, birth dates addresses some driver’s license numbers. Equifax said it discovered and choose an agenda a July 29 many attackers apparently had access to the company’s files for nearly 12 weeks. So again, if you were impacted by the breach, Equifax, you’re going to want to put in your claim before the 22nd which again gives you five days from the time of this recording. Take care of it. last bit of news for the week. We have Report and HIPAA journal, healthcare data breaches predicted to cost $4 billion in 2020. the healthcare industry data breaches are occurring more frequently than ever. The healthcare data breach figures for 2019 have yet to be finalized but so far 494 data breaches of more than 500 records have been reported to the HHS OCR and more than 41 point 11 million records were exposed on or impermissibly disclosed in 2019. That makes 2019 the worst year ever for healthcare data breaches. And the second worst in terms of number of breached healthcare records. health care industry now accounts for around four out of every five data breaches and 2020 looks this looks to be another record breaking year. The cost to the healthcare industry from those breaches is expected to reach $4 billion in 2020. So there is a lot of work to be done. Healthcare is the target. Other key findings of the service Including 96% of IT professionals said to actors are outpacing medical enterprises. More money is being spent on marketing to repair damaged reputations after a breach than is spent on combating the consequences of the data breaches. 35% of healthcare organizations do not scan for vulnerabilities before and attack. 87% of healthcare organizations have not had a cyber security drill with an incident response process. 40% of providers surveyed do not carry out measurable assessments of the cyber security status, and 26% of hospitals, respondents and 93% of physician organizations currently report to do not have an adequate solution to instantly detect and respond to an organizational attack. 93% of all healthcare providers do not have a way to detect and respond to an attack. That is crazy. That is going to wrap up our news for the week we’re going to move on to our hot topics Alright, so let’s dive in to our hot topics. The first one pretty cool stuff. This is reported on bleeping computer but as you can find a pretty much everywhere at this point and assess first public vulnerability, disclosure and effort to build trust. So the NSA did report as I’ve mentioned a few times on a couple of different podcasts now that there was a critical vulnerability discovered in Windows 10. And they shared it with Microsoft so that Microsoft capatch it kind of a new new era in building trust with Microsoft between vendors and the government. So it’s pretty cool stuff. So the US National Security Agency, NSA started a new chapter after discovering and reporting to Microsoft vulnerability track to CVE 28 0601. And impact is Windows 10, and Windows Server systems and a phone call. Friends with bleeping computer that bleeping computer join sorry NSA as director of cyber security and Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor. I thought hard about that. When Microsoft asked us can we attribute this vulnerability to NSA? We gave it a great deal of thought and then we elected to do so and here’s why no bigger explain. She added that part of building trust is showing the data and as a result, it’s hard for entities to trust that we indeed take too seriously and ensuring the vulnerabilities can be mitigated as an absolute priority. Neuberger also said during the media call that the agency will will make efforts towards building an ally to the cybersecurity community and private sector entities and will begin to share vulnerability data with its partners instead of accumulating it and using it in future offensive operations. Sources saying this disclosure from the NSA is planning to be the first of many as part of new initiative at NSA dub Turn a new leaf aimed at making more of the agency’s vulnerability research available to major software vendors, and ultimately to the public journalist Brian Krebs reported. NSA re redefining itself we believed in coordinated vulnerability disclosure, as proven industry best practices to address to address secure security vulnerabilities. MSR sees principal Security Program Manager Michelle Gruen at it through a partnership between security researchers and vendors. CVD ensures vulnerabilities are addressed prior to being made public and essays new approach to building trust with the public and its partners redefines the agency’s cyber security mission as US Army General and NSA director Paul M. Nakasone, stated in July 2019. Cyber Security director will reinvigorate our white hat mission opening the door to partners and customers on a wide variety cybersecurity efforts Yata to at the time, it will also build on our past successes Such as Russia small group to operationalize our threat intelligence vulnerability assessments and cyber defense expertise to defeat our adversaries in cyberspace. So that is really good news NSA is not choosing to weaponize it instead choosing to share with the community. So, I have mentioned on multiple occasions there needs to be collaboration. We have a little bit of collaboration here. So that is good news. We have so I decided to do a HIPAA case study this week as part of our drill down our hot topics. And so I have one here OCR sort of second case in HIPAA right of access initiative and the reason I decided to share this one is because HIPAA right of access is going to continue to be a hot topic for the HHS so you if you are refusing or, you know, I don’t know refusing is the best word. If you’re intentionally dragging your feet or maybe not even intentionally dragging your feet when a patient asks for their records, you will be part of the problem and they will continue to it all it takes is one complaint and you could end up paying millions as the result of one complaint because if they decide to open an investigation on you and find that your HIPAA program is in shambles, then you’re going to end up with a settlement. So here’s the press release from OCR OCR settle second case in HIPAA right of access initiative. Office of Civil Rights at the US Department of Health and Human Services is announcing its second enforcement action and settlement under its HIPAA right of access initiative. OCR announced this initiative earlier this year promising to vigorously enforce the rights of patients to get access to their medical records properly without being overcharged and in readily producible format of their choice. kuranda Medical has agreed to take corrective action plan and pay 85,000 to settle A potential violation of HIPAA is right of access provision. Current is a Florida based company that provides comprehensive health care. Prior I’m sorry, Comprehensive Primary Care and interventional pain management to approximately 2000 patients annually. In March of 2019, OCR received a complaint concerning a current patient alleging that despite repeated asking Quran to fail to forward a patient’s medical records and electronic format to a third party, not only do crona fail to timely provide the records to the third party, but crona also failed to provide them in a requested electronic format and charged more than reasonably crosspiece fees allowed under HIPAA which we reviewed a couple of weeks ago. OCR provided kuranda with the technical assistance on how to correct these matters and close the complaint. Despite OCR as assistance. korando continued to fail to provide the requested records, resulting in another complaint to OCR as a result of those yars second intervention. Their records were provided for for free on May 2019 in the format requested, but now it becomes negligent because now you got the advice from those car you ignored them and they had to come back again and now becomes negligent. For too long health care providers have slow walk their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope ours are shift to the imposition of corrective actions and settlements under our right of access initiative will finally wake up health care providers to the obligations under the law said Roger Severino OCR director. In addition to the monetary settlement kuranda will undertake a corrective action plan that includes one year of monitoring the resolution agreement that I’m going to look at right now. So this is all available in the HHS website. If you wanted to review it, the link will of course be in the show notes. So it is a long document. And I’m not going to read the whole document Of course, you know, tells you who’s involved the facts of the case. So here’s the facts on March 6 2019, OCR received a complaint alleging current a medical is not in compliance with the Privacy Rule. The complaint alleged korando refused to provide an individual with access to her protected health information in a requested format. On March 18 2019, OCR provided kuranda Medical, with technical assistance regarding individuals right of access to protected health information and closed a complaint on March 22 2019, also received the second complaint concerning crindars continued non compliance with the requirements of the Privacy Rule concerning access and as 45 CFR 1642524. Sorry, I may 8 2019 HHS notify crona Medical of its investigation of kuranda medicals compliance with the HIPAA rules promulgated by HHS pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996. corundum and part says Corona medical failed to provide timely access to protected health information from April 22 2019 to may 12 2019. So you do have a certain amount of time. And I, I believe it’s 30 days, yes 30 days, and if you need more time than that you you have to notify them but you cannot take more than 60 days so they failed and they were fined. And then terms and conditions so payment HHS has agreed to accept the current of medical has agreed to pay HHS, the amount of $85,000 could have been worse if they followed their HIPAA plan or they had no plan at all HIPAA compliance program in place then then it would have been worse. current medical has entered into and agrees to comply with the corrective action plan cap for short attached as Appendix A, which is incorporated into the agreement by reference, if current medical breaches the cap and fields to cure the breach, as set forth in Cap, then Krone medical will be in breach of disagreement and he says will not be subject to the release set forth and in the paragraph to date. So pursuant to 42 USC 1320 a dash seven a C one is civil monic civil money penalty must be imposed within six years from the date of the occurrence of the violation to ensure that the six year period does not expire during the term of the agreement. current medical agrees that the time between effective data disagreement as set forth in paragraph 14 and the date and agreement may be terminated by reason of crona medicals breach plus one year thereafter, will not be included in the calculating the six years statute of limitations applicable to the violations which are subject of this agreement. So, in other words, they have to carry out their part of the deal. And then the six years are in place so that they could still face a civil suit and So that could you know that debt could be another issue for them, they may may have more, more financial loss as a result of just not supplying the patient’s records as requested. And then it lists the policies that said they need to review and revise. So Corona medical agrees to the following that within 30 calendar days of the effective day current a medical shell review and to the extent revise its policies and procedures related to access to the protected health information consistent with 45 CFR 164 dot five two for the revised policies and procedures solid densify crona medicals methods for calculating a reasonable cost base fee for access to pH I, which we reviewed, including the methods for calculating cost labor for copying the PhD requested by the individual, whether in paper or electronic form. And it’s you know, obviously the rate of the employee that’s doing that supplies for creating a paper copy or electronic form. If the individual request that the electronic copy be provided on portable media, postage when the individual request that the copy of the summary or explanation be mailed and preparation of an explanation of summary phF agreed to by the individual. And then HHS shall review and if necessary, recommend changes to the aforementioned policies and procedures for individual access to bhi upon reviewing recommended changes from hhs. gov medical will have 30 day calendar days to provide revised policies and procedures. So it’s not just a fine so you can see that HHS is going to be paying really close attention to them here. And that could be considered a nuisance. Privacy training on individual access to Protected Health so they do have to provide training within 60 calendar days. And then within 32 calendar days of HHS is approval and annually. While under the term of this cap. current medical shall provide training to all workforce members at its facilities. Access status for Requirements Access Request as required requires within 90 days I received HHS approval of the policies and procedures required by section VA one in every 90 calendar days thereafter, while under the term of the cap crona Medical shall submit to HHS a list of requests for access to pH I received by Corona medical. So there again, the little micro managing obviously it looks to me like they they had a pretty decent HIPAA program in place since there were no other notifications in this in this settlement. But you know, something as simple as a complaint about not getting their patient records in a timely manner, it can turn into a nightmare for any medical facility. Alright, last up we have on MSP Alliance this was written on January 15, so a couple days ago, time to review your internal MSP security. So another MSP was compromised. And as a result, an airport at Albany was hit with ransomware that MSP. I don’t know what the story is their website hasn’t been updated in 12 years. So it’s hard to say. But it’s time so so written by Charles Weaver, co founder of MSP Alliance, it is 2020. That means it’s time to review your internal MSP security preparedness. What does that mean? Let’s take a closer look. So these are the things that they suggest to check. First of all administrator accounts. Excluding shared administrator accounts has been the path where hackers have been at the have been successful in the past. One successful hackers will continue their attackers until they are blocked compromising administrator accounts gives the hacker a broad level of access to do what they wish, guarding your administrator user accounts and distributing them with discretion is good first step and along with that, auditing, who has an administrator account what they’re using it for, and then mfn needs to be set up. That’s my ad lib. lockdown your vendors, it’s no surprise that hackers love exploiting MSP vendor tools. While they may not like it vendor access into your network should be an area of focus for your internal security review. And then he wrote, I would suggest providing limited administrator access for those. For only those occasions when the vendor needs and needs it. Persistent administrator access is now a thing of the past and no longer a best practice. backup your data. We use a backup and discover a backup and disaster recovery from data. And the reason we use data is because of what it does is it creates an image of the machine in the cloud. And so if that machine is hit, this is me living by the way. If that machine is Hillary ran somewhere, you can immediately be back up and running with the cloud version of that which backs up daily. Scan the perimeter vulnerability scanning is an excellent service. To promote to deliver to customers, it’s an even better idea for your internal MSP network. Performing regularly vulnerability, regular vulnerability scans is a part of keeping a healthy and secure network. password managers. Yeah, stop storing passwords on spreadsheets. Use a password manager. We use a password manager here. And then make sure that the password manager is locked down as well with NFA and strong password. And then get verified doing all these things to protect your MSP practice. Great. Now prove it just practicing security is no longer enough. Today you need to demonstrate your security best practices getting MSP verified by an independent auditor can help you communicate all the great things you’re done. You’re doing to protect your MSP practice and all your customers otherwise it’s just bragging. And he does admit that there are a lot of additional steps and you know, MFA password policies, strong password policies, all those things need to be in place. The one I will say in most of the attacks that launched from msps, it did not seem that that MFA was in place and most of the attacks, so something to think about with your security and an MSP. And I don’t know if any, any MSP is actually listened to this podcast. But if they do, you really need to think long and hard about what you’re doing. Maybe you’re not prepared, maybe, maybe, maybe hire someone to come in and show you what needs to be done because the lives that are being impacted, the businesses that are being impacted is astronomical and the amount of money that’s being lost as a result by patients, by healthcare facilities, by businesses, by employees of your business, just it’s it’s a lot, a lot of money being lost. A lot of lives being up ended. It needs to be corrected. So I’ll get off my soapbox. Now we’re going to talk about HIPAA breaches for the week. Alright, welcome back. I thought it was going to be a light week for HIPAA breach notifications. But a few of them popped up in the last 24 hours. So let’s get right down to it. And start with quest health systems discovers additional patients impacted by 28 phishing attack 2018 phishing attack healthquest now part of the new vantes Health has discovered the phishing attack experienced in July 2018 was more extensive than previously thought. Several employees were tricked into disclosing their email credentials by phishing emails, which allowed on authorized individuals to access their accounts. And leading cyber security firm was engaged to assist with the investigation and determine whether any patient information had been compromised. And may 2019. quest health learned that protected health information of 20,910 patients was containing emails and attachments in the affected accounts, and notification letters were sent to those individuals to compromised. Accounts contain patient names, contact information, claims information and some health data. A secondary investigation of the breach revealed on October 25 25th 2019, that another employees email account was compromised which contain pH I. According to this substitute breach notification on quest Health website. The compromised information vary from patient to patient but may have included one or more of the following data elements dates of birth, social security numbers, driver’s license numbers Medicare health insurance claim numbers, provider names, dates of treatment, treatment and diagnosis information health insurance plan member and group numbers, health insurance claims information, financial account information and pin security code and payment card information. No evidence of the unauthorized viewing of patient data was uncovered. No reports have been received to indicate any impatient information was misused out of an abundance of caution. Additional letters were mailed to patients in January on January 10 2020. quest health is now using multi factor authentication on its email accounts and has strengthened security processes and provided additional training to its HQ employees on fishing and other cyber security issues is currently unknown how many additional patients have been affected NFA added after the fact 44,000 patients impacted by phishing attacks on internet and spectrum healthcare partners. Portland, Maine based healthcare provider at enter med is noted notifying 33,000 patients as some of their protected health information has potentially been compromised as a result of a phishing attack. The attack was discovered on September 6 2019. internal investigation confirmed that the count was compromised on September 4 29. tiene and the attackers had access to the count. until September six, comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or touches any had been viewed by the attackers. types of information in a compromised accounts vary from patient to patient, and may have included patients names, dates of birth, health insurance information, and some clinical information. A very limited number of patients also had their social security numbers exposed intermit started mailing Breach Notification letters to affect a patient’s in November 5 to note 2019. Complementary credit monitoring and identity protection services have been offered to patients whose social security number were exposed. steps have not been taken to improve email security and training has been reinforced. phishing attack impacts 11,308 patients as Central Maine orthopedics 11,308 patients of Central Maine or orthopedics part of spectrum healthcare partners are being notified that some of their protected health information was potentially viewed by an auto Northwest individual gain access to email count of one of its employees. spectrum healthcare partners discovered the unauthorized access on November 14 and immediately security affected account. The investigation revealed the account had been breached on November 5. A review of the email attachment and the account revealed they contained patients names, dates, birth, addresses, health insurance information, clinical and treatment information and amounts owed to Central Maine orthopedics. While it was confirmed that the attacker remotely access the account, no evidence was uncovered to suggest patient information was obtained or misused. Effective patients were notified out of the abundance of question on January 13 40 564. Record breach reported by children’s hope Alliance. barium springs North Carolina based child welfare agency children’s hope Alliance has announced that a laptop computer containing sensitive information has been stolen. According to the substance abuse notice on the children’s hope Alliance website the laptop was stolen on October 7 2019. Digital forensic firm was engaged to determine whether the laptop contain any sensitive information. The investigation is on ongoing but the initial findings show documents on the device contain information such as names, addresses social security numbers, tax identification numbers, dates of birth usernames and passwords and medication and those those such information breach report was submitted to the Department of Health and Human Services Office of rights indicates 40 564 individuals have been impacted. The breach summer’s day said this was a hacking it incident involving email. It is unclear at this stage whether this is an error or a separate breach, or if the laptop was used to hack into the employees email account. Now I don’t know it’s hard to say in late 2019 Data laptop is not encrypted, but I guess it’s possible. And low Medical Center continues to experience EMR downtime due to ransomware attack. I reported this on cyber security daily, but a California Health Care Provider was attacked with ransomware in two weeks. On its medical records systems are still out of action. And little Medical Center in Chico, California discovered the attack on January 2 2020. its entire network is encrypted, including its electronic medical record system, which prevented staff from accessing patient information. Emergency protocols were immediately implemented to ensure care could still be provided to patients and only a limited number of elective medical procedures had to be rescheduled. So the good news is they were able to avoid any serious problems but the there was a report a few weeks ago about the difference in time when using electronic medical records and having access To that versus paper medical records, and in there is a decrease in care level of care, I guess you could say when the delay there’s a delay in getting the information that they need. And so these ransomware attacks are doing just that. They’re taking, they’re taking what should be a technological issue and turning it into a human issue. So, something to think about when you’re when you’re reviewing your health care plan. Know your health care plan, reviewing your cybersecurity plan and your HIPAA program to make sure that things are done the right way. And in last, well that’s it I’m sorry, and low was the last one. So that’s going to do it for our HIPAA roundup for the week. We’re going to move on to our HIPAA education piece. I want to point out that of the five I think there was five there of the five. Three of them were phishing attacks, MFA not set up. One was a stolen laptop encryption not set up. Most likely, it doesn’t say for sure. But most likely if they if they did have encryption setup, they didn’t have to report. So I would assume HIPAA, I would assume that encryption was not set up. So for out of the five, were easily preventable. Something to think about health care practices. All right, we’re gonna move on to the HIPAA education. Right, this week’s education piece, we’re going to talk about sharing consumer health because it’s not just HIPAA. It’s also the if there’s an FTC act involved with it as well. And I’m taking a straight from hhs. gov website on HIPAA does your business click Ensure consumer health information when it comes to privacy, you’ve probably thought about HIPAA. But did you know that you also need to comply with FCC FTC act. This means if you share health information, it’s not enough to simply consider the HIPAA regulations. You also must make sure your disclosure statements are not deceptive under the FTC act. So we haven’t really talked about sharing health information. We talked a little bit about it when we talked about HIPAA and mobile applications, but not much more than that. And so essentially, you can, the short version is you can share information if the patient is aware. But let’s go through all the all of the rules here. Let’s start with HIPAA. So HIPAA surpri HIPAA privacy rule requires certain entities to protect privacy and security of health information. rule also provides consumer with certain rights and respect to their information. This rule applies to you if you are a HIPAA covered entity a health plan, most health health care providers or a health care plan So it also applies if you are a business associate is a person or company that helps a covered entity carry out its healthcare activities and functions. Here are some highlights of the HIPAA Privacy Rule requirements for covered entities, entities and business associates. In order for you to use or disclose consumer health information for commercial activities besides treatment payment or healthcare operations or other uses and disclosures permitted or required by the Privacy Rule, the customer must first give you written permission to a valid HIPAA authorization. HIPAA authorizations provide a consumer provide consumers a way to understand and control their health health information. The authorization must be in planning language. If people can’t understand it, then it isn’t effective. So in other words, you can’t use legal jargon or or medical jargon. Think about who what when and where and why. Explain who was disclosing and we receiving the information. What are they receiving, when the disclosure permission expire? Where where’s the information being shared and why are you sharing it? The authorization must include specific terms and descriptions. For example, if you want consumers to authorize you to share their health information, you need to tell them specifically how it will be used, for example, by a pharmaceutical company for marketing purposes a life insurer for coverage purposes, or an employer for screening purposes. If you are a business associate, there’s a crucial first step the covered entity must give you explicit permission to a HIPAA business associate contract. So that’s part of the BA, there is an additional contract for that kind of disclosure. This means you cannot ask a consumer to sign a HIPAA authorization if the business associate contract does not expressly permit you to do so. FTC act now, once you’ve drafted a HIPAA authorization you can’t forget the FTC act FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. Among other things. This means that companies must not know consumers about what is happening with their health information. What does that mean? In practice, you need to do more than just meet the requirements for HIPAA compliant authorization, your business must consider all of your statements to consumers to make sure that taken together they don’t create a deceptive or misleading impression even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule. If the information surrounding authorization is deceptive or misleading, that’s a violation of the FTC act. So how do you comply with FTC act review your entire user interface don’t bury key facts and links to a privacy policy Terms of Use or HIPAA authorization. For example, if you can’t, if you’re claiming that a consumer is providing health information only to her doctor, don’t require her to click on patient authorization link to learn that it is also going to be viewable by the public. And don’t promise to keep information confidential and large boldface type but then ask the consumer in a much less prominent manner. to sign an authorization that says you will share it evaluate yourself color and graphics of all your disclosure statements to ensure they are clear and conspicuous. Take into account the various devices consumers may use to view their disclosure information. If you are sharing consumer health information in an unexpected ways, design your interface so that scrolling is not necessary to find that out. For example, you can’t promise not to share information prominently on a webpage owner require consumers to scroll down through several lines of HIPAA authorization to get the full scoop. Tell consumers the full story before asking them to make them make a material decision. For example, before they decide to send or post information that may be shared publicly. Review your user interface for contradict contradictions and get rid of them. The same requirements apply to paper disclosure statements don’t give consumers a stack of papers, where the top page says their health information is going to their doctor but another page request permission to share the health information with a pharmaceutical firm. And then if you need more guidance, there are links here to official document It’s, and there is a if you have if you have a Health app, don’t forget to consult the mobile health apps interactive tool. So there’s also that now it’s interesting because I always think of the pharmaceutical commercials where the show there’s you know, people on the beach planning and talk about the conditions that a certain pharmaceutical my treat and then they’ll real quickly ramble through all of the side effects. And that’s kind of what this reminds me of. You can’t just say, okay, we’re going to share your information with your doctor and then somewhere real quick, there’s another little box that you’re asking them to put their initials in. It says we’re also going to share this with pharmaceutical company for marketing purposes. So I hope that helps with any any healthcare providers that might need to have that question answered, that is straight from hhs. gov. So it doesn’t really get any more specific than that. And that is going to wrap up on this week’s episode of the productive it podcasts. So until next week everyone stay secure and make sure you have applied all of those patches.
Transcribed by https://otter.ai