HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 15 – Cheap IT Can Be Expensive

By January 31, 2020 No Comments
Episode 15 - Cheap IT Can Be Expensive FB

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus Cool Advances in Tech, Do Acupuncturists Need HIPAA & Cheap IT Can Be Expensive

This is Episode 15!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback. What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

QOTW:  I own a break/fix IT business.  I was contacted by a physical therapist to help with some basic computer issues.  Is there anything I need to know about HIPAA before agreeing to help?

Patch Tuesday Update:

Microsoft Releases January 2020 Office Updates With Crash Fixes

Firefox 72.0.1

Python 2.7 has reached EOL
Windows 7 EOL is on Patch Tuesday 1/14

 Juniper Networks Releases Security Updates

Cisco Releases Security Updates for Multiple Products

https://www.us-cert.gov/ncas/current-activity

Microsoft’s January 2020 Patch Tuesday Fixes 49 Vulnerabilities

Citrix Patches CVE-2019-19781 Flaw in Citrix ADC 11.1 and 12.0

NEW

Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings – Cisco has released patches for this vulnerability

Apple Releases Multiple Security Updates
Cisco Releases Security Updates for Cisco Small Business Switches

Cyber Security News

Average Cost To Recover From Ransomware Skyrockets To Over $84,000

NSA Releases Guidelines to Improve Cloud Security

Trello exposed! Search turns up huge trove of private data

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

Google Sets Record High in Bug-Bounty Payouts

Burger flipping robot now stands on its head

Severe ‘Perfect 10.0’ Microsoft Flaw Confirmed: ‘This Is A Cloud Security Nightmare’

TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

Topic 1:  Egypt’s building a new capital: Inside the smart city in the desert

Topic 2:  Drones, autonomous driving and more: UPS’s new modernization initiatives

Topic 3:  1 Way Cheap IT Costs More for Healthcare

HIPAA Corner: Naturopaths, Acupuncturists Do They Need to Follow HIPAA

https://cohenhealthcarelaw.com/2015/02/acupuncturists-comply-hipaa-share-electronic-medical-record/

 

Breaches

https://www.hipaajournal.com/category/hipaa-breach-news/

Episode 15 - Cheap IT Can Be Expensive PIN

Transcription

This is the ProactiveIT podcast this week the latest in it and cyber security news plus cool advances in tech. Do acupuncturist need HIPAA and cheap it can be expensive. This is Episode 15 Hi everyone and welcome to the proactive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so you can better protect your business and identity. This podcast is brought to you by and watch tech a client focused and security minded consultant located in Central Connecticut. You can find us at unwashed check. com that’s NW Aj tech.com. Or before we jump in, I just want to say thanks for listening to this podcast show some love and Apple or Google podcasts or wherever you listen to podcasts. It would be great if you could leave us some feedback, positive feedback of course. Right after you listen to this episode, go over there. Say five stars, great podcasts, whatever. We really, really would appreciate it because it really helps us spread the word. Also, if you go on Facebook and search for get HIPAA compliance if you are a business that has to deal with HIPAA compliance, search, forget HIPAA compliance and join the HIPAA compliance Facebook group. I share stuff to that group all the time, including this podcast. So go and join really would be helpful to your business if you have to deal with HIPAA. We do have one question that came in. It is from an IT person I own a break fix it business, I was contacted by a physical therapist to help with some basic computer issues. So I believe it was something to do with the browser. Is there anything I need to know about HIPAA before agreeing to help? So I will say this much before, before I answer the question. We wrote a blog post yesterday, basically, based on that, and we’re going to review that later. But the short answer right now is, if you have to ask that question, you’re not prepared to deal with a business that needs to be HIPAA compliant. So it’s best to either refer it to another business, or you know, there really is no alternative refer to another Hippo, another business that is capable of handling a HIPAA compliant HIPAA covered entity and and is able to sign a business associate agreement and then go and learn some, some stuff about HIPAA because it is a big deal and you do need to protect yourself and that of your clients. So that’s the answer. That’s the short answer. And we of course wrote the blog post that we’re review later in the podcast. Alright, Patch Tuesday updates. On top of everything else from January you can go back to the previous episodes. To hear about those there were three new updates released this week, we have a Cisco WebEx flaw that was patched the WebEx flawless unauthenticated users join private online meetings. We have Apple releasing multiple security updates for for both OSX and for iOS. So you’ll want to update as quickly as possible. And in another Cisco update Cisco releases security updates for Cisco small business switches. So if you are using any of those, I’m sure a lot of people are using both Cisco products and Apple products. You’re going to want to take care of those and then of course if you have not applied any of the updates from earlier in the month, take care of those two windows seven did release an update post mortem, I guess an update to adjust the there was an issue with the screen resolution I believe it was or something along those lines so the I think it was the something with the the background of your desktop. So that update is available. But that’s it for Patch Tuesday and that is the end of January. So we will not be talking about Patch Tuesday for January anymore. We will be moving on to February next week, probably a couple weeks before there’s any February Patch Tuesday updates. Alright, let’s talk about the news for the week. First up in Forbes, we have a couple articles from Forbes today. average cost to recover from ransomware skyrockets to $84,000 that is almost double what it was just a year ago. So they have that last year it was 40,040 $1,198. So that would be more than doubled. Now at 4116, the numbers I had for last year were $46,800. So even that, you know, almost double. That is a lot of money. The biggest ransomware threats for this coming year and look to be sold on a kevie maze and bit pie locker. I believe all three of them now have said that they will expose data. And if you don’t pay up so they’ll steal your data encrypted, send you the ransom note. And then if you don’t pay up, released the data and so don’t a KB and maze have both held true to that they have released data for some of the victims that they have attacked. So something to think about if you if you’re still putting off taking cyber security seriously. On site where the NSA releases guidelines to improve cloud security. The guidelines include mitigation techniques of cloud vulnerabilities other than the identification of cloud security components to actors and more. NSA hopes that organizations can gain perspective on cloud security principles while addressing cloud security considerations to assist the clouds service procurement. So NSA, once again, showing that they can play nice in the sandbox are sharing more information to help business businesses and of course the government stay better protected in in the cloud. So Miss, so the most common things that they’ve addressed here, Miss configuration, which we know happens quite a bit. Poor access control, again, we know happens quite a bit. Shared tenancy vulnerabilities we’re going to talk about one of those in a moment. Generally, this isn’t not as big a deal as the first two is very rare and even even less likely to be compromised because it’s it takes a little more sophistication from a hacker. And then finally, supply chain vulnerability. So supply chain being things like the hardware and the software that you use any cloud components, you might use monitoring software, things like that. Where are the vulnerabilities there? So as an example, a few msps were compromised last year, and then the remote support software that they use to connect to their clients was used to launch ransomware on their client machines. So are we using multi factor authentication, are we using the proper password protections and those types of things that’s supply chain so it’ll be interesting. We’re going to talk about a misconfigurations shortly. Trello exposed search turns up the Huge trove of private data. So Trello is a is a collaboration type software it is their boards that you collaborate with other users across your organization or across the world it could be they, by default keep their boards private. However, many users are setting them to public which means that the boards are exposed. And some of the boards that were exposed including there was one ahead HR onboarding and included personally identifiable information, which means address, phone numbers, names, email addresses, things like that. There was a housing company that listed the fixes needed to be done on the individual homes and included broken locks. There was a facilities company that listed names, emails, dates of birth ID numbers and bacon count information for for staff, and it was an HR board that detail specific job or There’s just so many including their salary bonus and contractual obligations. That’s just a few. And this is a this is a perfect example of of not setting the proper controls and putting the proper controls in place. So, if you if we talk about what we just talked about with Cisco, this is the A perfect example of that. This is not understanding how to properly secure a sensitive information that is throughout the organization and now it is being found on the internet. So this misconfigurations and potentially access controls there too, but most likely misconfigurations on Krebs on security, we have our breach may have compromised more than 30 million payment cards now. So this this, this compromise that occurred last year. That’s almost a year ago. I think it was may not March. Sorry, march of Last year, compromised the POS is and the card readers from 150 Wireless stores. They are now saying that 30 million records, credit card records are available on the dark web to be purchased. And if you don’t know, credit cards can be purchased for as little as $2 on the internet was said to breach to not expose personal identification numbers or CVV. However, the cards can still be used as credit cards on the internet. And if you’re not watching, if you’ve used if you’ve been to Walmart, and it is in over 40 states in the United States, if you’ve been to Walmart in the last year, you’re going to want to check your credit in if you know what credit card it is maybe potentially get a new one get it replaced. They are offering some Dave Warner clients in there are offering some I believe credit monitoring. I don’t see it here but I believe there are offering credit monitor. Threat post Google sets record high end bug bounty payout. So basically, Google has paid out $6.5 million in bug bounty rewards in 2019. I’ve said it before, I’ll say it again, the bug bounty program is a good way to make some extra income. If you’re interested. It’s a good way to learn about technology. The bonuses were were paid out for all things across the Google world. So Google, Chrome, Android, Chromebook, all those things, um, Gmail, G Suite. So they’ve paid off $6.5 million. Also, in 2019, Google tripled top reward payouts for security flaws in Chrome from five to 15,000 and doubled the maximum reward amount for high quality reports from 15 to 30,000. So again, there are plenty of bug bounty sites you can learn from and then practice we do a little bit here. We don’t do a lot because I don’t have a lot of time to do those things. But you can make some money there’s a few now millionaires from bug bounty programs. A ons eating a burger flipping robot now stands on its head. So I did say beginning of the episode this was going to talk about some cool new tech. And this is a cool new tech depending on your perspective because it’s also probably going to take some jobs away at some point the days of lion cook are numbered thanks to this robotic chef. Creative robotic arm designed to cook burgers and other quick serve food at high turnover restaurants has a bright idea why not turn the robot upside down? Introducing the flippy two point O robotic fry cook and kitchen assistant. it’s on its way to transforming fast food. loopy is a lightweight, industrial robotic arm was batula for an end effector bundled with a sensor sweet and smart AI that helps it get better. The more cooks the robot started his professional career flipping burgers at Cali burger but it may soon be moving up to other foods thanks to new prototype from Robot robotics, dubbed the missile robot on rail, for ar, ar, the new design responds to difficult challenge for those hoping to bring automation into existing kitchens. Namely, there isn’t much space around the stove or griddle. And human co workers tend to need whatever space there is to maneuver. So the idea is flip it upside down. And now there’s more space. And there’s a picture there so you can see what they’re mean. But it’s cool. It really is cool. It could mean the end of cooks in some places. I don’t think you know, you can’t, can’t replace a chef but you could replace somebody who’s just flipping burgers, I suppose. It highlights a point though it highlights the highlights the need to train people in other areas now train people how to think critically how to work with technology. So it’s gonna be more and more, more and more prevalent. And we’re already seeing it. We’re seeing kiosks. We’re seeing robots in the stores doing basic things. So and we’re delivery robots are coming. They’re already being tried. I think I think I have that to talk about too. So these things are happening and we need to refocus our thinking two things that will be beneficial to our future for employment because these are taking jobs. Unfortunately, one of the jobs it’s going to take is high school jobs. on Forbes, severe perfect 10.0 Microsoft law confirm this is a cloud security nightmare. I do believe they may be maybe stretching it a little bit here. But this is a cloud security nightmare. According to checkpoints IANA bombas tells me this is the author exact often, it undermines the concept of cloud security. You can’t prevent it can’t protect yourself. The only one who can is the cloud provider. So this goes back to the tenancy aspect that we talked about a moment ago, in this case on Microsoft Azure checkpoint, found a vulnerability, disclose it to Microsoft and Microsoft did take care of it. They’ve also found vulnerabilities in WhatsApp, tick tock and zoom in recent months. But the vulnerability was in the hardware that exists to support to be able to launch these virtual servers on Azure. And the problem is that they were able to exploit it and potentially see what is on the other servers. Now, there is some chip issues as well that we know about for Intel. But let me just read this, when I don’t think we’re talking about until today anyway, so states it’s huge. I can’t even start to describe how big it is the reason for that hyperbole that Bama says his team found the first remote code execution exploit on a major cloud platform. One user could break the cloud isolation. So the servers you spin up a server is supposed to be isolated from all the others unless you, you know, in your configuration connected to something. So in doing so they can intercept code, manipulate programs. And isolation is the basis of cloud security enabling the safe sharing of common hardware. So again, you have that Microsoft has this usually very, very powerful server that you can spin up software versions of servers of virtual machines, is what it really is. And those are supposed to be isolated from other virtual machines on that same hardware server. And they found checkpoint found a flaw that allowed for remote code execution between those supposedly isolated servers. And last bit of news trick button this is on bleeping computer chip bought uses a new windows 10 USC bypass to launch quietly so trick but as we know as a baking Trojan has switched to a new windows 10. us a bypass to execute soft with elevated privileges without showing your User Account Control prompt. I think this is the second time I’m reporting something similar to this some Windows users. Windows uses a security mechanism called united user count control USC that will display a prompt every time a program is run with administrator privileges. When these prompts are shown, they will ask logged in user if they wish to allow the program to make changes. And if the program suspicious or unrecognized, the user will of course select No. The USC bypasses a phone and legitimate Microsoft Windows programs that are used by used by the operating system to launch other programs as they are not considered a high priority Microsoft it could be a while before discovered bypasses a fixed if at all. So check back figured it out. You know, the way you windows Microsoft does it. So now they’re going to do it to another reason to stay secure. Stay up to date. That’s going to do it for the news. We’re going to move on to our hot topics for the week. Alright, hot topics we were going to focus on some positives this week. There wasn’t a whole lot of ransomware attacks reported or cyber security issues reported this week. So we’re going to we’re going to focus on some positives for change. And because Tech has a lot of upside to E just building a new capital inside the smart city in the desert, and new administrative center being built between the Nile and the Suez Canal will be the country’s first smart city. Egypt is building a new as yet unnamed capital designed to be the country’s new administrative hub and home to more than 6.5 million residents to new capital will cover 700 square kilometers or 270 square miles making it about the size of Singapore and will be located 35 kilometers or 21 miles east of Cairo. Plans for the city include a new parliament and Presidential Palace Egypt’s largest airport, Africa’s tallest tower, the Middle East largest Opera House $20 billion entertainment district in a giant urban park bigger than Central Park in New York. One key driver behind initiative as the country’s rapid population growth and new baby is born in Egypt, the most populous country in the Middle East every 15 seconds, which translates to about 2 million new people per year. Cairo is already a congested, congested, polluted and overcrowded city that is predicted to double in size by 2050 to 40 million people. By then the country’s wider public expected to jump to 150 million up from just 100 million today forget ISIS just population boom is the biggest threat. That’s what Newsweek said in 2017. Population challenges aside, other potential motors for the move, included desire by President Sisi, who came to power when the military took charge in 2011. To break from the past and make his mark in history, as well as efforts to stimulate the economy which has remained sluggish since the events of the Arab Spring. money well spent projected costs for the new capital range between 45,000,000,058 billion while the initiative has its supporters others have questioned expense. given some of the financial challenges such as rapid inflation, unemployment, a downturn in tourism, shoddy infrastructure and a modest job creation that the country has faced in recent years. Although there are positive signs in all these areas, there’s still a lot of work to be done. For the country to watch the government spend 10s of billions on us on the city, while also hearing them say we’ll have tighten our belts. It sends a contradictory message Timothy Caldas and non resident fellow at the career institute a Middle East Policy in Cairo told NBC News there was something very wrong with the order of priorities agreed political analyst Hassan Nephi in an interview with AP, maybe LCC wants to go down in history as the leader who built a new capital. But if Egyptians don’t see an improvement, and living conditions in services, he will be remembered as the president who destroyed what is left of the middle class. And I’m, you know, political stuff aside, I think we’re seeing under the political of the middle class anyway across the world. Despite these misgivings developed is rapidly moving ahead. The first government ministries are intended to relocate to the new capital in the mid 2020. And a flurry of contracts have recently been signed for everything from a new 834 million business park, who has citywide digital security system and Honeywell installing over 6000 wireless cameras across the city. Meanwhile, the state owned operated telecom Egypt and agreed in support tember 2019 to build a a 40 billion in Egyptian which works out to 2.44 billion telecommunications network network within the next six months, train and plane manufacturer Bombardier has been contracted to build a 21 station monorail in the New York in a new city as well as a new line to connect East Cairo with the new capital, described by Danny dippin and the president of Bombardier Transportation as a Smart Mobility solution for Cairo’s urban future. The 54 kilometer, which is 33 miles line can carry 45,000 passengers an hour, just a minute travel time from us cargo to the new capitals around 60 minutes. A website for the project promises that the new capitals developed with structured strategic vision for smart city integrating a smart infrastructure to provide many services to citizens division includes smart routing of traffic congestion and accidents smart utilities to reduce consumption and cost smart buildings and energy management including a focus on renewal. Energy and using IoT to save power consumption as well as building optical fiber infrastructure connecting every building using ftt. x technology plans for 900 square kilometer, which is roughly 35 square miles farm are also part of the mix. Along this government has announced that it intends to make the new administrative capital the first cashless city in the country. So that’s interesting. Again, there’s some finance challenges and of course, some people believe it’s not the right, step forward. I am a proponent of of innovation. I think, maybe, yes, there are challenges but maybe it’s, you know, first of all, it does stimulate the economy because it creates jobs. But at the same time, maybe this is the future maybe this is what needs to be done in order to improve things worldwide, not just in Egypt, but anywhere. Another cool article that was on zt net, so is this one Drones autonomous driving and more ups is new modernization initiative. So I mentioned earlier we were going to talk a little bit about delivery robots. But ups on Wednesday announced a series of new initiatives, partnerships and products all and upgrading its global logistics network. And this is innovation guys, this is innovation one on one we know Amazon is really pushing its way into the delivery world. And taking a chunk away from UPS and FedEx and the United postal service. And so this is ups saying, okay, we’re not going to take this line down. We saw what happened to to a lot of retail outlets, and we’re not going to let that happen to us. A few of the announcements were focused specifically on modernizing its delivery fleet, with autonomous vehicles and electric vehicles first ups announced a new partnership with the self driving car company waymo. The companies are jointly launching a pilot program to test autonomous vehicle package pickup in the Phoenix Arizona area starting in the coming weeks, when Most Chrysler Pacifica minivans will deliver packages from ups stores locations to a local ups sorting facility. The minivans will drive autonomously, with a waymo train driver onboard to a monitor operations. While this is just a pilot, two companies aim to develop a long term partnership plan. Meanwhile, UPS has venture capital arm ups ventures is investing in arrival, which makes electric vehicle platforms and purpose built vehicles. Ups also plans to purchase 10,000 electric vehicles from the company and collaborate with its develop electric with it to develop electric vehicles with advanced driver assistance systems. Ada is ups is also expanding its drone operations in the healthcare sector. A key business vertical for ups first logistics logistics company announced an initiative to test drone delivery use cases with Henry Schein a worldwide distributor of medical and dental supplies. They also they’ll focus on testing the delivery of essential health care products to destinations where traditional road transport may be less Effective or timely, such as remote communities or areas impacted by natural disaster. Last year, UPS formed a subsidiary drone business ups flight forward. He received a highly restricted air carrier certification from the Federal Aviation Administration fall allowing for approved ups drones to fly over people at night and out of the operators line of sight after granting ups delight fight. After granting ups flight forward to special certification the FAA authorized the company to operate a drone delivery program at Wake med Hospital in Raleigh, North Carolina. Ups announced Wednesday that it’s expanding its ups flight forward service to the University of California San Diego health. Launching in February in partnership with matter net the drone program will use will be used to transport various medical products between health centers and labs per FFA FAA rules the drones will follow predetermined flight paths within visual line of sight. Little more from ups to logistics company plans to add 5 million square feet of new automated sortation capacity to its facilities this year. Starting with new facilities in Pennsylvania ups is more than halfway through a three year plan to add more automation to its facilities, with the goal to drive 30 to 35% improve productivity when compared to manual processing and older sites by the end of 2021. Nearly 100% of eligible packages will be sorted with automated technology. Ups announce the next generation of its on road integrated optimization and navigation. Orion platform the latest version includes dynamic optimization which recalculates individual package delivery routes throughout the day to account for traffic conditions as well as changing pickup commitments and delivery orders. Ups announced that square is joining us Digital Access Program giving merchants working with square and platform access to ups services. That’s pretty cool too. The premium program provides access to a suite of ups services to more easily fulfill e commerce orders and managed shipping thinking The little guy. So, UPS really making some strides in innovation. That’ll be interesting to see how that plays out and it whether or not FedEx and United States Postal Service which is notorious notoriously behind the times. We’ll see how that plays out for them. And other delivery services. There are smaller ones of course. But Amazon has really, really got everybody else think rethinking strategy right now. And then finally, a blog post on wash tech.com and W AJ tech com. One way cheap, it costs more for healthcare. And I told you about the question of the week earlier in the episode so this why this blog post came to be so cheap, it is not good. It can cost you much more in the long run. And this is really is about healthcare, but it can be any business. So here’s the thing you own in you own or operate a healthcare practice. You might be a physician’s practice optometrist, dentist or You’ve been a chiropractor, maybe you’re running an ambulance service. Perhaps you have an independent pharmacy in the middle of town that everyone loves. No matter what type of healthcare entity you have, there’s no doubt that you are using computers and other forms of technology. When you need technical support, you probably call around, hire someone who’s relatively cheap to fix the issue and then go about your business might even have someone you reach out to. Every time you have a problem. It could be someone referred to you by another business owner. It might even be a family member who fixes computers as a hobby. And by the way, those are all real scenarios I get to that you hired the IT consultant large part because they offered service and it much more affordable rate than some of the other it consultants in the area. That’s great. You’re saving a few bucks and getting your computers repaired when they need to be that IT consultant could end up costing you far more than the established, more expensive it consultants. Let’s forget about bad advice, shortcuts and mistakes and underqualified IT consultant can make things like that. Using free anti malware programs are not properly validating your backup solutions or even suggesting that you use a shared Gmail just for the entire staff to simplify things, yes have witnessed all of these things. There is one incredibly important reason not to hire the guy down the street who fixes your neighbors computers for $50. All the businesses are listed above most likely need to have a HIPAA program in place. Part of the part of HIPAA says that anyone vendors who you hire to perform work that may include potentially accessing pH I, that is protected health information require a business associate agreement. Yeah, I’m the most Omnibus rule states that a business associate, which is essentially your downstream for support of your healthcare business can be held liable under the HIPAA rules. In fact, the OCR has stated that we can expect more enforcement directed at business associates. In other words, if a breach occurs, and IT consultant is at four, then then they will be the party the OCR investigates Potentially fines if you don’t have a BA in place with the IT consultant and your car is going to hold you liable if they determine that a HIPAA program was not being filed. If you don’t have a BA with your IT consultant and you most likely don’t have a HIPAA compliance program, you should you could be subject to enforcement. HIPAA enforcement can and usually does include financial penalties and corrective action plan. In many cases to corrective action plan can cost more than the settlement. The corrective action plan will also meet you’ll need to hire qualified IT consultant that will sign a PA a few thousand dollars you saved by hiring the neighborhood guy who pushes free anti malware programs are starting to look like a bad decision, isn’t it? Let me try to put this another way. If you’re a chiropractor and someone came into your practice because of back pain, but decided they were going to go to a friend of a friend because they can fix the back issues for a lot less money. Would that sit well with you know because they are not qualified and they would potentially hurt the person even more. IT consulting is no different. You want to hire, qualified, experienced support to have to prevent breaches. You want to have someone that has as much skin in the game as you. So why did I bring this up? Again, I told you about the question. But you know, in all honesty, I do see this a lot I see. And it’s not so much physicians offices, it’s more the dentist, optometrist, chiropractors, those types of businesses that some believe they don’t need to, to follow HIPAA and then wrong. They do. The HIPAA rule says if you’re transmitting to an insurance company electronically and so I’m paraphrasing, if you’re transmitting to an insurance company electronically then you by all by you are you do need to be covered under HIPAA. And then if you do somehow breach, and it’s more likely if you don’t believe that you need to follow HIPAA. If you are breached Then you are subject to, to financial penalties and or settlements and a corrective action plan which actually sometimes costs more than that to just the financial penalty because of the things you need to do to mitigate the problems. So that’s, that’s going to do it for our hot topics for the week. That last one is a blog post on our website. So you can go check that out and the first two are on CD net. Alright, it’s time for a little bit of education. I’m switching it up a little bit this week. This is coming from a blog post on corn healthcare law. I’m not familiar with them. They’re not local to me. But I was doing some research on whether or not natural paths and acupuncture and those types Well, I guess it’s Eastern medicine will call it whether or not they need to be HIPAA compliant. And I’ll tell you after reading this, there’s still not a real clear answer, I will say, and this is focused on acupuncture by the way. So I will say if an acupuncturist is able to, to build through insurance and transmit so electronically, then they should be covered under HIPAA. That is not the direction that this article leads. So, some of this is going to be left up to your own interpretation. So, let’s go through it whether Hippo plus the acupuncturist who share medical record is one of those arcane questions our healthcare lawyers get the answer isn’t all that easy to obtain. So same thing I said, like many healthcare and FDA legal issues, they said the question is fun treasure hunt through the legal rules. HIPAA itself is a real statute under which the US Secretary of Health and Human Services has promulgated at least five regular Which only the first to privacy and security are the ones we normally care about. Before we even start, there’s a preemption rule to tackle HIPAA will supersede relevant state law unless state laws found to be more stringent. So as an example, in Connecticut, the reporting law, the rules for reporting and HIPAA breach are 60 days, or I’m sorry, in Connecticut is 90 days but HIPAA says it’s 60 days so we would follow HIPAA in that case. Now, if Connecticut said 30 days, then we would follow Connecticut. HIPAA does not preempt state requirements related to reporting of disease, child abuse, birth and death and authorized public health surveillance a public health investigation or intervention. So we may see some of that soon with the on the not on the corona virus outbreak. So if we start to see that more in the US, you can see you might see some of the public health surveillance. HIPAA regulates electronic data exchanges. healthcare information. The relevant provisions of HIPAA known as the Administrative Simplification provisions, essentially amended federal six Social Security x Medicare and Medicaid provisions. HIPAA is intended to protect the privacy of patients protected health information pH I, means individually identifiable health information that is transmitted by Electronic Medical media maintain electronic media or transmitted or maintained in any other form of or medium, whether electronic or hardcopy, so that paper copies are still covered. pH is a subset and I mentioned that because that is a common misconception. pH is a subset of individuals health information. identifiable health information means health information including demographic information and identifies the individual with respect to which there is a reasonable basis to believe. information can be used to identify the individual but requires covered entities to provide information and writing to patients about the privacy rights. how their information will be used. So when you visit your doctor you sign that piece of paper says they’ve told you, even though they didn’t really tell you develop policies, procedures and systems to protect patient privacy and patient’s ability to access it, attend and amend their records, some of which we do train staff on these procedures. We also do appoint a privacy officer to ensure privacy procedures are developed and adopted and followed. Point of security officer to ensure security procedures are developed, adopted and followed. Secure patient records that contain pH from individuals who should not see them. account for specified disclosures of Ph. I establish a compliant of complaint mechanism for privacy concerns, establishing a force a system of sanctions for employees who violate privacy, policies and procedures notify patients and government agencies in the event of a breach where required which is anywhere in the United States. Typically, health care plans subject to HIPAA will have a compliance plan including a compliance manual with a full set policies, procedures and forms. HIPAA only applies to the following types of covered entities for the moment we’re admitting business associates and their subcontractors, health plans health care clearing house a health care provider who transmits any health information in electronic form, in connection with a transaction referred to in Section 1173, a one here to 62 refers to the section of HIPAA and 1173 to the section being inserted into the Social Security Act. HIPAA is as noted codified in title 42 of the USC under HIPAA the term health care provider includes a provider of services as defined in Section 1861. You a provider of medical or other health services as defined in Section 1861 s and any other person furnishing health care services or supplies next under 1861. You the term provider of Services means a hospital critical access hospitals skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency hospice program or a fund. The term medical or other services has a lengthy definition which includes physician services, services and supplies furnaces incident to physicians professional service, diagnostic x rays, tests, durable medical equipment, ambulance service and other services, which do not appear to apply to service services an acupuncturist. Accurate punctures might furnish the catch all any other person furnishing health care services or supplies is not limited to medical services or physicians. It would appear to encompass services by an acupuncturist this conclusion is bolstered by definition of healthcare under HIPAA regulation HIPAA health care means care services or supplies related to the health of an individual healthcare includes but is not limited to the following preventative diagnostic therapeutic, rehabilitative maintenance or politics. Care and Counseling Service assessment or procedure with respect to the physical or mental condition, or functional status of an individual or or that affects the structure or function of the body and sale, a dispensing, sale or dispensing of a drug device equipment or other item and in accordance with the prescription so that would be your pharmacist. Further, the US Department of Health and Human Services on its web page dedicated to Health Information Privacy states that a health care provider includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies and others, but only if they transmit any information in electronic form in connection with the transaction of which HHS has adopted a standard list suggest to other providers such as acupuncturists would not be included. Again, open to interpretation. hhs also provides an easy to use Question and Answer decision tool to determine whether one is covered entity and it Did I think I linked to that in a previous show, but this article will be linked so you can get to that. This links to a decision chart on the website for the Centers for Medicare and Medicaid Services. The first question is, does the person business or agency furnish bill or receive payment for health care and a norm, normal course of business? So it does sound as though acupuncturist would be considered health care providers subject to HIPAA. However, HIPAA only applies to health care provider whose transmit any health information electronic form and connection with transaction referred to in Section 1173. A one to statutory Section requires HHS to adopt standards for transactions and data elements. For such transactions to enable health information to be exchanged electronically, that are appropriate for the financial administrative transactions describing a paragraph two and other financial administrative transactions determine appropriate by the Secretary, consistent with the goals of improving operation of healthcare system and reducing administrative costs. So part two transactions the transactions referred to in paragraph one of our transactions transactions. Can’t say that word today transactions with respect to the following health claims or equivalent income encounter information, health claims attachments, enrollment and disenrollment and health plan eligibility for your health plan. Health care payment and remittance advice health plan premium payments first report of injury health claims status referrals certificates, referral certification and authorization. Under the HIPAA regulations, transaction means the transmission of information between two parties to carry out financial or administrative activities relevant related to health care includes the following types of information transmissions, healthcare claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits health care Claim Status enrollment and disenrollment and health plan eligibility for health plan health plan premium payments referred certification authorization, first report of injury, health claims attachments, other transactions that the Secretary may prescribe by regulation. Of these two questions whether sharing patient medical information in office via an EHR constitutes health claims, or equivalent encounter information HIPAA regulates defined HIPAA regulations defined health claims are equivalent operation equivalent encounter information as either the following a request to obtain payment and unnecessary accompanying information from a healthcare provider to a health plan for health care. If there is no direct claim because the reimbursement contract is based on a mechanism other than charges are reimbursement rates for a specific services, the transaction is the transmission of encounter information for the purpose of reporting healthcare. So the scenario of acupuncturist sharing an EHR in and of itself does not appear to trigger HIPAA compliance necessarily. short form of this is that we typically look to whether providers electronically transmit patient health information for insurance reimbursement, this isn’t legal advice, per se. It’s a journey through regulatory treasure hunt. So all that to say that still don’t have a solid answer, and I would say this, so I’ve actually used an acupuncturist in the past and I paid cash. I think most acupuncturists operate that way that they will accept cash. And they probably don’t want to deal with the insurance companies. Maybe because of HIPAA, maybe because of the hassle of dealing with insurance companies. I don’t know. Maybe I’ll have an acupuncturist on a future episode because I am still friends with one are actually probably a couple. But, but that being said, if the acupuncturist can bill insurance, and they do and I don’t think all insurance companies will, will pay for acupuncture, but I will tell you, it works. It works great. And if you think it hurts, it doesn’t I fell asleep after the first time fly Sleep every time I went. Um, but if the insurance company will pay for acupuncture and the acupuncturist decides to Bill insurance company for the for the session through electronic means, then to me that means that they are they do fall into HIPAA at that point. Because there’s some gray areas and what I just read and this is this is from a law firms website. So this is somebody that deals with the legal aspects of HIPAA. So there are some gray areas, you know, the state other or you know, it’s hard to list all the different healthcare options that are out there because, you know, you get into natural path you get into things like Reiki, right? I’m not sure how to say Reiki I think it is, which some people don’t consider actual health care, but some people do. It’s Eastern medicine. Eastern medicine is is not really a popular choice in the United States. We’ve follow more of a western medicine. But there are people out there that that really like Eastern medicine, it’s more natural. And so that’s their preference. So some food for thought. In my opinion, if the acupuncturist is billing for through insurance through electronic methods, then they should be held under HIPAA. That’s going to do it for a HIPAA education piece. We’ll talk about the breaches next. So we started off the week pretty hot with HIPAA breaches then it got quiet and then we have one from today. reported yesterday, I should say. So let’s start off Boma health discovers 20 month insider breach Beaumont health and not for profit Hospital Health System business Phil Michigan has discovered a former employee has access to medical records of patients without authorization and is understood to have shared protected health information with another individual. internal investigation was launched when it was discovered medical records had been accessed without the author authorization. A review of the former employees access laws revealed to unauthorized access first occurred on February 1 2017, and continued until October 22 2019. The breach was discovered in December 2018. I’m not sure if these dates are archives that would be more than two years, not 20 months. So the dates might there might be a typo here. bomont Health said its internal investigation and determine on December 10 2019 that the medical records of 1100 and 82 patients were accessed over a period of 20 months. Information potentially obtain and it’s disclosed included names, addresses, contact, telephone numbers, dates of birth, email As health insurance information, reason why medical care was sought and social security numbers, the individuals to whom the information was believed had been disclosed was affiliated with a personal injury lawyer. So this is the second time we’re seeing such a thing. In recent months, there was a New York hospital where the same thing happened. Most of the patients whose records were access had sought treatment for injuries sustained in motor vehicle accidents. When author on went on authorized access was confirmed employee was fired for violating hospital policies and HIPAA rules. The incident has been reported to law enforcement in Beaumont health said it will assist law enforcement if prosecution is pursued. matter has also been reported to Michigan healthy Hospital Association, or patients in fact affected by the incident have been notified by mail credit monitoring and identity theft protection services had been offered to patients whose social security number was compromised. Patients have been advised to be alert to the risk of identity theft and fraud and have been advised to check their explanation of benefits statements and accounts carefully. Report any suspected case of misuse of their information. Boma health has taken steps to update internal policies and procedures to prevent similar incidents from occurring in the future. So a little bit of maybe access controls I’m not sure if the employee should have had access or not. They obviously weren’t monitoring access logs carefully. And he was he was giving information to a personal injury attorney is probably for a kickback. Former VA employee sense for leaking medical records of former Army major so yet another employee issue former employee at Department of Veteran Affairs Benefits Administration has been sentenced for accessing accessing the medical records of veterans without authorization for leaking medical records of a former US Army major who ran for congress in West Virginia in 2018. Jeffrey Miller 40 of Huntington, West Virginia pleaded guilty to accessing medical records of six veterans including the former Army major Richard O’Hara photographs of the records were taken as soon To an acquaintance image of a haters medical records were subsequently distributed to high ranking republicans and attempt to influence the 2018 campaign for the third congressional district in West Virginia. Miller was sentenced on January 21 2020 in federal court and will serve six months in jail so six months for stealing six records, maybe one month per record, I don’t know. I will Department of Human Services notifies 4784 patients about improper disposal incident. So the Department of Human Services has notified 4784 individuals about the potential exposure of some of their protected health information. November 25 2019, and member staff dispose the documents containing the protected health information of Dallas County clients in a regular garbage dumpster instead of sending the records for shredding. By the time the improper disposal incident was discovered the dumpster had been emptied and investigation was launched which revealed the custodian player who dispose the paperwork was unaware that the documents contain confidential information. It wasn’t Not possible to determine exactly which patients patients were affected, so notification letters were sent to all individuals potentially impacted by the breach. The documents likely contain information such as names, dates of birth mailing addresses, driver’s license numbers, so security numbers, disability information, medical information, banking and wage information, received a Medicaid mental health information provider names, prescriptions and substance abuse and illegal drug use information. So in this case, it sounds like we had maybe a box or something that was not properly labeled, and was mistaken for garbage and thrown out with the regular garbage when it should have been taken to the shredder. Cedar Brook nursing home residents notified of impermissible disclosure of prescription information 688 residents of the cedar Brook nursing home in Lehigh, Pennsylvania, Lehigh County, Pennsylvania are being notified that their prescription information was accidentally share with companies interested in tendering for the house for the nursing homes pharmacy contract, an email was sent to us 16 companies in December 2018, with an incorrect file attachment the correct file contain invoice information detailed the medications described, prescribed in October through November. File attached to the email including the names of the patients who received those medications. There was discovered promptly, and requests were sent to all 16 companies asking for the file to be deleted. All 16 companies which were HIPAA covered entities confirmed that the file had been deleted. All affected individuals have been notified about the privacy breach. Out of the abundance of caution the risk of misuse of patient information is believed to be very low. procurement procedures have now been updated and require or I’ll, I’ll go and contact information to be checked by supervisor prior to being sent again, a little bit of 2020 is hindsight or hindsight is 2020. I think the issue that we have here is that how do we know that they really deleted that information Hopefully they did. But how do we really know that they did. And then the last one this week a website Eric’s both personal and health out of labcorp patients. So researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical lab network labcorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the backend system. The flaw allow patient data to be accessed without requiring a password. And the web address was visible to search engines. Google had cash only one document continued to help that of a patient. But by changing the document number and the web address, the researchers were able to open other documents containing patient health information now this just changing that one number that is a bug bounty thing. So I mentioned bug bounty earlier, Google paid off 6.5 million last year. That is a an an early technique taught in bug bounty when you’re learning about bug bounty. The researchers examined a small study collection of files to see what types of data had been exposed documents mostly contain information about patients who had tests conducted by lab coats integrated oncology specialty testing unit to documents contain personal information such as names and dates of birth, lab test results and diagnostic data and for some patients social security numbers TechCrunch, researchers used computer commands to determine the number of documents accessible on the website, they structured the commands to return information about the properties of the files rather than opening the documents to avoid accessing patient information. The analysis revealed around 10,000 documents could potentially be accessed TechCrunch notify labcorp about the issue, and the server was taken offline while offline while the flaw was corrected. The link to the expose data has not yet been removed from Google but is no longer active and cannot be used to view patient data. This is the second major security incident to be experienced by labcorp in the past 12 months, the records of labcorp patients were exposed in the 26 million record breach at American Medical collection agency MCA and march 2019 7.7 million labcorp patients were initially thought to have been affected, but the breach was reported to HHS OCR has as having affected up to 10,251,784 seven 784 lab CT patients so labcorp really, really not doing too well there and not entirely their fault. That is going to do it for this episode of the proactive it cyber proactive it podcast. Almost got confused with the daily episode. That is the end of this episode, the product of it podcast episode 15. Until next week, everyone, enjoy the end of the month, stay secure and we’ll talk to you next week.

Transcribed by https://otter.ai

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply